oss-sec mailing list archives

Possible CVE for TLS protocol issue

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Sep 2016 14:39:11 -0600

This was pointed out to me by mjc@:

https://kcitls.org/

TL;DR: if you can trick someone to install a client certificate you can
then spoof any future web site. Certainly not what we want from the people
issuing client certificates. It sounds like this is a protocol level
vulnerability affecting closed and Open Source vendors potentially, and it
is public so posting it here.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

Possible CVE for TLS protocol issue Kurt Seifried (Sep 19)
- Re: Possible CVE for TLS protocol issue Reed Loden (Sep 19)
- Re: Possible CVE for TLS protocol issue cve-assign (Sep 20)