Full Disclosure mailing list archives
Re: FD / lists.grok.org - bad SSL cert
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Tue, 6 Jan 2009 00:36:25 +0200 (EET)
It was Mozilla.com: http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html Juha-Matti Volker Tanger [vtlists () wyae de] wrote:
Hi!The prevailing use of self-signed certs on the Internet basically destroys the usefulness of HTTPS, since it trains users to simply click "add exception" and ignore the scary warnings "because then I get the lock icon, which means I'm safe!"[...]stop being so effing stingy and cough up the $70 for a certificate signed by a CA that is in the default trusted bundle of major browsers.Well, last month we saw reports that one of those "trusted" CAs (one of those preinstalled-in-all-browsers one) signed certificates without *any* check. The example chosen was MOZILLA.ORG (.com? not sure). Few years ago there was the case of microsoft.com cert being signed to a non-MS person. So training the users "lock = safe" or even "green lock = safe" is as misleading as using self-signed certs. And as browsers usually do not check CRLs, there is no way preventing the use of wrongfully signed certificates short of distributing a "software update" (as was with the MS case). If browsers had a cert cache and checked it similar to SSH, MitM-attacks would be much harder. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: FD / lists.grok.org - bad SSL cert, (continued)
- Re: FD / lists.grok.org - bad SSL cert chort (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Volker Tanger (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Gary Wilson (Jan 06)
- Re: FD / lists.grok.org - bad SSL cert Avraham Schneider (Jan 06)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert anonymous pimp (Jan 05)
- Re: anonymous pimp's ideas of list etiquette (was: FD / lists.grok.org - bad SSL cert) Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert A . L . M . Buxey (Jan 06)