[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Perfect MITM attack with valid SSL Certs



On Tue, Dec 23, 2008 at 8:47 AM, Roc Admin <onionroutor@xxxxxxxxx> wrote:
> ... receive a completely valid certificate for a random domain
> of his choosing without any questions or verification.
> ... the browser pre-trusted certificate authorities
> really needs to be cleaned up.

this is why i am fond of the petname toolbar to identify server
certificates using local trust information rather than assuming any
cert signed by any of the dozens of random CA's bundled with Firefox
is legit:
  https://addons.mozilla.org/en-US/firefox/addon/957

for other applications that use system or application CA certificate
stores you've got fewer options.  if you're really concerned you can
extract the few roots you trust into a new certificate store and tell
the app in question to validate against those CA's only.

supposedly extended validation certs will restore trust in the PKI
hierarchy, but i'm not holding my breath...  *grin*

best regards,