oss-sec mailing list archives
Possible CVE for TLS protocol issue
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Sep 2016 14:39:11 -0600
This was pointed out to me by mjc@: https://kcitls.org/ TL;DR: if you can trick someone to install a client certificate you can then spoof any future web site. Certainly not what we want from the people issuing client certificates. It sounds like this is a protocol level vulnerability affecting closed and Open Source vendors potentially, and it is public so posting it here. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Possible CVE for TLS protocol issue Kurt Seifried (Sep 19)
- Re: Possible CVE for TLS protocol issue Reed Loden (Sep 19)
- Re: Possible CVE for TLS protocol issue cve-assign (Sep 20)