| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20071205.2ea0df8bb8444c6ccf5e2f1d55851708@cynops.de>
Date: Wed, 5 Dec 2007 09:26:18 +0100
From: Alexander Klink <a.klink@...ops.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Certificate spoofing issue with Mozilla,
Konqueror, Safari 2
Hi,
On Sun, Nov 18, 2007 at 10:21:18PM +0100, Nils Toedtmann wrote:
> DN="CN=www.example.com"
> subjectAltName:dNSName=www.example.com
> subjectAltName:dNSName=www.paypal.com
>
> and lures the user to https://www.example.com/. The user gets an
> "unknown CA" warning, but the "subjectAltName:dNSName" extensions
> are not shown to him, so the cert looks ok. As he does not plan to
This is particularly annoying as there is no way to actually view the
subjectAltNames in Mozilla (except for being able to translate the
hexdump in your head). At least they're planning to change the handling
of wildcards[0], so it is no longer enough to get that one certificate
with a subjectAltName of '*' installed.
Best regards,
Alex
[0]: http://permalink.gmane.org/gmane.comp.mozilla.crypto/8429
--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@...ops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists