| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Jan 2009 22:43:33 +0100 From: Volker Tanger <vtlists@...e.de> To: full-disclosure@...ts.grok.org.uk Subject: Re: FD / lists.grok.org - bad SSL cert Hi! > The prevailing use of self-signed certs on the Internet basically > destroys the usefulness of HTTPS, since it trains users to simply > click "add exception" and ignore the scary warnings "because then I > get the lock icon, which means I'm safe!" [...] > stop being so effing > stingy and cough up the $70 for a certificate signed by a CA that is > in the default trusted bundle of major browsers. Well, last month we saw reports that one of those "trusted" CAs (one of those preinstalled-in-all-browsers one) signed certificates without *any* check. The example chosen was MOZILLA.ORG (.com? not sure). Few years ago there was the case of microsoft.com cert being signed to a non-MS person. So training the users "lock = safe" or even "green lock = safe" is as misleading as using self-signed certs. And as browsers usually do not check CRLs, there is no way preventing the use of wrongfully signed certificates short of distributing a "software update" (as was with the MS case). If browsers had a cert cache and checked it similar to SSH, MitM-attacks would be much harder. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists@...e.de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists