Penetration Testing mailing list archives
Re: HTTPS proxy tool that resigns SSL certs
From: Rogan Dawes <discard () dawes za net>
Date: Fri, 09 Jun 2006 12:09:32 +0200
Ritesh Rekhi wrote:
Hi All, I was going through this discussion.I have 2 questions on the discussion below: 1 Is it possible to get the same cert (cert with same cn) from two different CA's which are trusted by the browser i.e let's say my site is www.foo.com and I get my Cert signed by Verisign but attacker generates the CSR using same name and gets it signed by thawte. 2. If what I mentioned in the question 1 is true then is it possible to do MITM attack without attracting clien't attention. Regd's Ritesh
In answer to your first question, see my option 1 that I wrote previously. It is unlikely that they will issue you a certificate if you cannot prove that you own the domain in question. However, it may bepossible to hijack the domain for long enough to pass the various validation checks, etc, and get a cert issued.
If this happens, yes, it is game over for that domain. The users will not get any warning that they are visiting a different site.
1. Compromise a recognised CA's verification checks to convince them to issue you a certificate for the target site. This is unlikely. However, VeriSign has issued certs in Microsoft's name in the past, so not completely impossible. This also limits you to the particular sites that you manage to get certs for.
Regards, Rogan ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Re: HTTPS proxy tool that resigns SSL certs, (continued)
- Re: HTTPS proxy tool that resigns SSL certs Tobias Glemser (Jun 01)
- Re: HTTPS proxy tool that resigns SSL certs Huzeyfe Onal (Jun 02)
- Re: HTTPS proxy tool that resigns SSL certs Phil Frederick (Jun 05)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Phil Frederick (Jun 05)
- RE: HTTPS proxy tool that resigns SSL certs Steve Abatangle (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Nathan Keltner (Jun 06)
- Re: Re: HTTPS proxy tool that resigns SSL certs one2 (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 07)
- RE: HTTPS proxy tool that resigns SSL certs Ritesh Rekhi (Jun 08)
- Re: HTTPS proxy tool that resigns SSL certs silentw (Jun 08)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 09)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 07)