[Owasp-leaders] Cert Stealer Released

Gregory Disney gregory.disney at owasp.org
Thu Dec 26 20:57:47 UTC 2013


Isn't that the whole point of certificate authority to be considered a 
trustworthy signer?
On 12/26/13, 12:49 PM, Abbas Naderi wrote:
> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
> -A
> On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>
>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>> Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.



More information about the OWASP-Leaders mailing list