lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <24360961.345001231194986243.JavaMail.juha-matti.laurio@netti.fi>
Date: Tue, 6 Jan 2009 00:36:25 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: Volker Tanger <vtlists@...e.de>, full-disclosure@...ts.grok.org.uk
Subject: Re: FD / lists.grok.org - bad SSL cert

It was Mozilla.com:
http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html

Juha-Matti

Volker Tanger [vtlists@...e.de] wrote: 
> Hi!
> 
> > The prevailing use of self-signed certs on the Internet basically
> > destroys the usefulness of HTTPS, since it trains users to simply
> > click "add exception" and ignore the scary warnings "because then I
> > get the lock icon, which means I'm safe!"
> [...]
> > stop being so effing
> > stingy and cough up the $70 for a certificate signed by a CA that is
> > in the default trusted bundle of major browsers.
> 
> Well, last month we saw reports that one of those "trusted" CAs (one of
> those preinstalled-in-all-browsers one) signed certificates without
> *any* check. The example chosen was MOZILLA.ORG  (.com? not sure). Few
> years ago there was the case of microsoft.com cert being signed to a
> non-MS person.
> 
> So training the users "lock = safe" or even "green lock = safe" is as
> misleading as using self-signed certs.
> 
> And as browsers usually do not check CRLs, there is no way preventing
> the use of wrongfully signed certificates short of distributing a
> "software update" (as was with the MS case). If browsers had a cert
> cache and checked it similar to SSH, MitM-attacks would be much harder. 
> 
> 
> Bye
> 
> Volker
> 
> -- 
> 
> Volker Tanger    http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists@...e.de                    PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ