[Owasp-leaders] Cert Stealer Released

Abbas Naderi abbas.naderi at owasp.org
Thu Dec 26 21:05:34 UTC 2013


They all are, the problem is, they are all trusted the same by the browser, regardless of whether you pay $5 a year for your certificate to be signed, or a thousand times that amount.
-A
On Dec 26, 2013, at 3:57 PM, Gregory Disney <gregory.disney at owasp.org> wrote:

> Isn't that the whole point of certificate authority to be considered a trustworthy signer?
> On 12/26/13, 12:49 PM, Abbas Naderi wrote:
>> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
>> -A
>> On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>> 
>>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>>> Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
>>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/92537bcb/attachment.bin>


More information about the OWASP-Leaders mailing list