|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?
From: Sebastian Krahmer (krahmer
suse.de)
Date: Wed Jun 02 2004 - 03:26:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 2 Jun 2004, Chris van der Pennen wrote:
Hi,
Depending on your trusted-CA package for your SSL client, this
should not verify. There are various ways to confuse SSL clients.
Especially GUI based web-browsers allow to play tricks where
you cant decide whether you are prompted a correct certificate.
Some do not check the signature at all. If in doubt, if there
is any popup on a HTTPS site, theres someone playing games.
I am going to release slides from a speach regarding that topic soon.
(in german unfortunally)
Sebastian
> I've been getting SSL certificates from various websites recently that are
> apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
> The certificate expired 6 December 2002.
>
> The data in Issued To and Issued By are identical.
>
> This smells very much like an SSL hijack attempt - can anyone shed some
> light on the situation?
>
> Chris
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmersuse.de - SuSE Security Team
~
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]