[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20090105224333.dad380c1.vtlists@wyae.de>
Date: Mon, 5 Jan 2009 22:43:33 +0100
From: Volker Tanger <vtlists@...e.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FD / lists.grok.org - bad SSL cert
Hi!
> The prevailing use of self-signed certs on the Internet basically
> destroys the usefulness of HTTPS, since it trains users to simply
> click "add exception" and ignore the scary warnings "because then I
> get the lock icon, which means I'm safe!"
[...]
> stop being so effing
> stingy and cough up the $70 for a certificate signed by a CA that is
> in the default trusted bundle of major browsers.
Well, last month we saw reports that one of those "trusted" CAs (one of
those preinstalled-in-all-browsers one) signed certificates without
*any* check. The example chosen was MOZILLA.ORG (.com? not sure). Few
years ago there was the case of microsoft.com cert being signed to a
non-MS person.
So training the users "lock = safe" or even "green lock = safe" is as
misleading as using self-signed certs.
And as browsers usually do not check CRLs, there is no way preventing
the use of wrongfully signed certificates short of distributing a
"software update" (as was with the MS case). If browsers had a cert
cache and checked it similar to SSH, MitM-attacks would be much harder.
Bye
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists