[Owasp-leaders] Cert Stealer Released

Abbas Naderi abbas.naderi at owasp.org
Thu Dec 26 20:49:36 UTC 2013


There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
-A
On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:

> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>> Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/ec01d402/attachment.bin>


More information about the OWASP-Leaders mailing list