[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: IE https certificate attack

To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Re: AW: IE https certificate attack
From: Florian Weimer <Weimer@xxxxxxxxxxxxxxxxxxxxx>
Date: 06 Jan 2002 09:04:23 +0100
In-reply-to: <5FA09C38463BEE4B855CCA87732E639C5BB003@xxxxxxxxxxxxxxxx> (K.J.Mueller@xxxxxxxx's message of "Thu, 3 Jan 2002 15:04:17 +0100")
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <5FA09C38463BEE4B855CCA87732E639C5BB003@xxxxxxxxxxxxxxxx>
Sender: rusfw@xxxxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/21.1

K.J.Mueller@xxxxxxxx writes:

> could it be, that the text-browsers (lynx, links, w3m) don't even
> bother comparing the actual server name to the certificate's 
> "issued for" entry?

Some of them don't even have a repository of Root CAs, I think.

> Neither did any of them complain when accessing a https web page
> with a self-made certificate.

So they can't check the validity of the certificate at all.

-- 
Florian Weimer 	                  Weimer@xxxxxxxxxxxxxxxxxxxxx
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

References:
- AW: IE https certificate attack
  - From: K . J . Mueller

Prev by Date: HP Secure OS Software for Linux security bulletins digest
Next by Date: Re: IE https certificate attack
Previous by thread: Re: AW: IE https certificate attack
Next by thread: Re: IE https certificate attack
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilotco.