| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <827hc0ltr6.fsf@mid.bfk.de> Date: Tue, 15 Mar 2011 07:37:01 +0000 From: Florian Weimer <fweimer@....de> To: Matt McCutchen <matt@...tmccutchen.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: TLS servers with overbroad certificates may mishandle diverted connections * Matt McCutchen: > To test a server, simply view its certificate, choose a DNS name for > which the certificate is valid but for which the server is not listed in > DNS, and map that name to the server in your hosts file. So you need a certificate to make this work. This is out of scope of what TLS protects against. If you've got a breach on the X.509 side of things, TLS won't help you (if you rely on X.509 certificates). > An HTTP redirect to a non-TLS site is bad: if it happens on a request > for a JavaScript file, the attacker can now inject malicious code. I agree that this can be a problem, but it is not a protocol issue. It's a server-side misconfiguration, combined with a certificate that was inappropriately acquired or shared. -- Florian Weimer <fweimer@....de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists