[Owasp-leaders] Cert Stealer Released

Tobias tobias.gondrom at owasp.org
Sun Dec 29 09:30:56 UTC 2013


just fyi: the browser vendors are in the IETF currently working on cert
pinning, which should be released very soon and will pin the cert to a
domain. (With that the browser will only accept your pinned domain cert
for your domain, instead of any one from any of the 640s CAs worldwide.)
This was developed as a response out of the Diginotar/Comodo incidents
in 2011.

Best regards, Tobias

On 26/12/13 21:05, Abbas Naderi wrote:
> They all are, the problem is, they are all trusted the same by the browser, regardless of whether you pay $5 a year for your certificate to be signed, or a thousand times that amount.
> -A
> On Dec 26, 2013, at 3:57 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>> Isn't that the whole point of certificate authority to be considered a trustworthy signer?
>> On 12/26/13, 12:49 PM, Abbas Naderi wrote:
>>> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
>>> -A
>>> On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>>>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>>>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>>>> Well this is changing the signer, e.g google is signed by a Level one and you're using a Level 3.
>>>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/8c53ff73/attachment.html>

More information about the OWASP-Leaders mailing list