LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSL flaws revealed at Black Hat

SSL flaws revealed at Black Hat

Posted Aug 7, 2009 11:45 UTC (Fri) by farnz (guest, #17727)
In reply to: SSL flaws revealed at Black Hat by intgr
Parent article: SSL flaws revealed at Black Hat

Given the use of self-signed SSL certs all over the place for things like mailing list archives, the exploit goes something like:

  1. Convince user to install your "CA" certificate, to avoid warnings on a Facebook application/mailing list archive/other low-security requirement site.
  2. Create certificate for www.paypal.com\0.example.com.
  3. Go phish!

We know from various trojans that users can be convinced to do various very stupid things, given the right inducement. We know that SSL warnings are scary, and that browsers are making them scarier. We also know that SSL certificates for commercial use from CAs included in all major browsers (including older browsers like IE6) aren't free. Put these together, and a decent criminal should be able to come up with a plausible reason to install their CA certificate, then go play.

(Log in to post comments)

SSL flaws revealed at Black Hat

Posted Aug 12, 2009 17:54 UTC (Wed) by yodermk (subscriber, #3803) [Link]

But how is that different than using that same CA to just sign one for www.paypal.com?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds