lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon May 22 14:30:39 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Subject: Five Ways to Screw Up SSL > I was referring to the CA that signs it. It was implied that > freessl.com, who gives out trial certificates, is an unreliable CA. I > do not understand why their certs would be any less valid than > anothers. Not less valid, less trusted. SSL is a heirarchical "web of trust". > As long as the website listed on the cert is the website you are > visiting, why should it matter who issued the cert? Because how can I know that a certificate issued to "A" is really entity "A", unless I trust a central authority to do the homework. Phishing attacks love this trick. If anybody could get a cert for "www.chase.com" that was valid to the browser, then anybody that could do DNS foo to the client could spoof the real Chase. /mike.
Powered by blists - more mailing lists