SSL man-in-the-middle attacks

Posted Dec 26, 2008 17:17 UTC (Fri) by dps (guest, #5725)
Parent article: SSL man-in-the-middle attacks

What no browser implemnts, AFAIK, is autoamgic display of who the a valid certificate authenticates. I could register a domain name and get an SSL certificate. Only those suspicious enough to check the certificate would notice the authenticated domain was not what the HTML indicated.

Maybe we need a separate list of bad certificates, not controlled by any CA, that browsers could check. An online "sting" site might be a good idea too.

Just in case anyone is wondering {phish,phishing}.{org,com,co.uk,org,uk} are all registered already. I am not associated with any of those sites.

SSL man-in-the-middle attacks

Posted Dec 29, 2008 10:13 UTC (Mon) by TRS-80 (guest, #1804) [Link]

What no browser implemnts, AFAIK, is autoamgic display of who the a valid certificate authenticates. I could register a domain name and get an SSL certificate. Only those suspicious enough to check the certificate would notice the authenticated domain was not what the HTML indicated.

Extended Validation (EV) certificates are supposed to solve this - the browser displays the registered company name in the UI (examples in IE, FF and Safari).