LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSL man-in-the-middle attacks

SSL man-in-the-middle attacks

Posted Dec 26, 2008 17:17 UTC (Fri) by dps (subscriber, #5725)
Parent article: SSL man-in-the-middle attacks

What no browser implemnts, AFAIK, is autoamgic display of who the a valid certificate authenticates. I could register a domain name and get an SSL certificate. Only those suspicious enough to check the certificate would notice the authenticated domain was not what the HTML indicated.

Maybe we need a separate list of bad certificates, not controlled by any CA, that browsers could check. An online "sting" site might be a good idea too.

Just in case anyone is wondering {phish,phishing}.{org,com,co.uk,org,uk} are all registered already. I am not associated with any of those sites.

(Log in to post comments)

SSL man-in-the-middle attacks

Posted Dec 29, 2008 10:13 UTC (Mon) by TRS-80 (subscriber, #1804) [Link]

What no browser implemnts, AFAIK, is autoamgic display of who the a valid certificate authenticates. I could register a domain name and get an SSL certificate. Only those suspicious enough to check the certificate would notice the authenticated domain was not what the HTML indicated.
Extended Validation (EV) certificates are supposed to solve this - the browser displays the registered company name in the UI (examples in IE, FF and Safari).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds