| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.58.0406021021120.20695@wotan.suse.de> From: krahmer at suse.de (Sebastian Krahmer) Subject: VerySign Class 1 Authority - bogus SSL certificate? On Wed, 2 Jun 2004, Chris van der Pennen wrote: Hi, Depending on your trusted-CA package for your SSL client, this should not verify. There are various ways to confuse SSL clients. Especially GUI based web-browsers allow to play tricks where you cant decide whether you are prompted a correct certificate. Some do not check the signature at all. If in doubt, if there is any popup on a HTTPS site, theres someone playing games. I am going to release slides from a speach regarding that topic soon. (in german unfortunally) Sebastian > I've been getting SSL certificates from various websites recently that are > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign. > The certificate expired 6 December 2002. > > The data in Issued To and Issued By are identical. > > This smells very much like an SSL hijack attempt - can anyone shed some > light on the situation? > > Chris > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team ~
Powered by blists - more mailing lists