[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Perfect MITM attack with valid SSL Certs
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Perfect MITM attack with valid SSL Certs
- From: coderman <coderman@xxxxxxxxx>
- Date: Tue, 23 Dec 2008 14:00:49 -0800
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 23 Dec 2008 17:00:56 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=JfLs6SaGnR4jNKviQjDBOaZTCmHYCtY0DXcDbYGzkLI=; b=f4CqAudhDUCNx2mkHVcZqHh4x2PA2bAYMhePyo3a3dnL/NjlIg+ScgnkyP7O7BpixE IyUV3bzvxuDnafje1iaOSjZah2Tmm9y4IZfN5G5HjcrQ5holTWTOxKfUtZvpNuiAU8g9 O7AG/lS54sY/QDJncmjWopv/C+O6xsYgDfy70=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=gfBW3HE+gJXEvtlplavNAAInXoEM427xyQ3se28XP45yoq6r/GKQxKssTRiA5Waser MRMM+hjV8EEID6X4HhUtzwGOTTgz2kLMX/SVT6X/f6Juf5SPlE6ZcrrQvb6NSZJwLMRc wKpDPM7SgaVzTAhOuIfQ/4vCCHDYi74y3R0rg=
- In-reply-to: <50e60b790812230847i15680e20iba5175c2a7dc064e@xxxxxxxxxxxxxx>
- References: <50e60b790812230847i15680e20iba5175c2a7dc064e@xxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On Tue, Dec 23, 2008 at 8:47 AM, Roc Admin <onionroutor@xxxxxxxxx> wrote:
> ... receive a completely valid certificate for a random domain
> of his choosing without any questions or verification.
> ... the browser pre-trusted certificate authorities
> really needs to be cleaned up.
this is why i am fond of the petname toolbar to identify server
certificates using local trust information rather than assuming any
cert signed by any of the dozens of random CA's bundled with Firefox
is legit:
https://addons.mozilla.org/en-US/firefox/addon/957
for other applications that use system or application CA certificate
stores you've got fewer options. if you're really concerned you can
extract the few roots you trust into a new certificate store and tell
the app in question to validate against those CA's only.
supposedly extended validation certs will restore trust in the PKI
hierarchy, but i'm not holding my breath... *grin*
best regards,