SSL flaws revealed at Black Hat
Posted Aug 7, 2009 11:45 UTC (Fri) by farnz
In reply to: SSL flaws revealed at Black Hat
Parent article: SSL flaws revealed at Black Hat
Given the use of self-signed SSL certs all over the place for things like mailing list archives, the exploit goes something like:
- Convince user to install your "CA" certificate, to avoid warnings on a Facebook application/mailing list archive/other low-security requirement site.
- Create certificate for www.paypal.com\0.example.com.
- Go phish!
We know from various trojans that users can be convinced to do various very stupid things, given the right inducement. We know that SSL warnings are scary, and that browsers are making them scarier. We also know that SSL certificates for commercial use from CAs included in all major browsers (including older browsers like IE6) aren't free. Put these together, and a decent criminal should be able to come up with a plausible reason to install their CA certificate, then go play.
to post comments)