|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?
Valdis.Kletnieks
vt.edu
Date: Wed Jun 02 2004 - 11:45:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen <chrissw.gotdns.org> said:
> I've been getting SSL certificates from various websites recently that are
> apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
> The certificate expired 6 December 2002.
> The data in Issued To and Issued By are identical.
> This smells very much like an SSL hijack attempt - can anyone shed some
> light on the situation?
Or some webserver package that builds a self-signed certificate so SSL works
without having to pay Verisign, and does so in a "cute" manner that users are
likely to accept the cert without thinking about it. It's probably NOT a hijack
attempt unless you have *OTHER* evidence of that (phishy-looking redirect
javascript on the page, etc....)
Given how little *real* security a signed cert creates, it's probably not worth
worrying about.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAvgQVcC3lWbTT17ARAlrVAJ9T1FFe/59JW70YrJS7QwQCfK6VAwCfTFcY
ck+HeWfrjGZPOXX9mkqrJDo=
=eDvw
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]