Penetration Testing mailing list archives
Re: RE: Cain a& Abel Question
From: "Anish" <anish () myrealbox com>
Date: Thu, 22 May 2003 21:22:29 +0100
Hi David,
Mike Benham noted last August that IE was lame in >>how it checks for valid certificates. At that time, >>you could take an end user certificate and use it to >>sign another (fake) certificate. If you owned one >>domain name and got a certificate, you could >>impersonate anyone. Don't know if the example site >>is still up but the posting is here:http://www.thoughtcrime.org/ie-ssl-chain.txt
to best of my knowledge this bit on IE was followed by a patch ,what had happened with this was the cert chain was searched for a trusted cert and if found the cert was trusted ,without making sure the fullcert path there was trusted :-)till the CA. regards anish --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test ----------------------------------------------------------------------------
Current thread:
- Cain a& Abel Question Pete Jacob (May 21)
- <Possible follow-ups>
- RE: Cain a& Abel Question Cushing, David (May 21)
- RE: Cain a& Abel Question Pete Jacob (May 22)
- RE: Cain a& Abel Question n0brain (May 22)
- RE: Cain a& Abel Question Sebastian Garcia (May 22)
- RE: Cain a& Abel Question Pete Jacob (May 22)
- RE: Cain a& Abel Question Eliot Mansfield (May 22)
- RE: Cain a& Abel Question Christopher Harrington (May 22)
- RE: Cain a& Abel Question Cushing, David (May 22)
- Re: RE: Cain a& Abel Question Anish (May 22)