| |||||||||||||
SSL flaws revealed at Black HatSSL flaws revealed at Black HatPosted Aug 7, 2009 10:27 UTC (Fri) by intgr (subscriber, #39733)Parent article: SSL flaws revealed at Black Hat Quote: The CAs should also stop signing such certificates, and revoke those that they have already issued, but that, of course, doesn't stop anyone from self-signing a certificate with a NUL byte in the domain name.But what do you gain from creating self-signed certificates with the null byte? It was always possible to forge a self-signed certificate for any domain, adding a null byte anywhere doesn't really help you. You can sign a certificate for www.paypal.com\0.thoughtcrime.org just like you can sign one for www.paypal.com
(Log in to post comments)
SSL flaws revealed at Black Hat Posted Aug 7, 2009 11:45 UTC (Fri) by farnz (guest, #17727) [Link] Given the use of self-signed SSL certs all over the place for things like mailing list archives, the exploit goes something like:
We know from various trojans that users can be convinced to do various very stupid things, given the right inducement. We know that SSL warnings are scary, and that browsers are making them scarier. We also know that SSL certificates for commercial use from CAs included in all major browsers (including older browsers like IE6) aren't free. Put these together, and a decent criminal should be able to come up with a plausible reason to install their CA certificate, then go play.
SSL flaws revealed at Black Hat Posted Aug 12, 2009 17:54 UTC (Wed) by yodermk (subscriber, #3803) [Link]
But how is that different than using that same CA to just sign one for www.paypal.com?
|
|||||||||||||