[Owasp-leaders] Cert Stealer Released

Abbas Naderi abbas.naderi at owasp.org
Sun Dec 29 17:26:56 UTC 2013


Well then it just introduces the new pinning attacks that existed on DNS. Thats not a solution.
-A
On Dec 29, 2013, at 4:30 AM, Tobias <tobias.gondrom at owasp.org> wrote:

> Hi, 
> 
> just fyi: the browser vendors are in the IETF currently working on cert pinning, which should be released very soon and will pin the cert to a domain. (With that the browser will only accept your pinned domain cert for your domain, instead of any one from any of the 640s CAs worldwide.) This was developed as a response out of the Diginotar/Comodo incidents in 2011. 
> 
> Best regards, Tobias
> 
> 
> On 26/12/13 21:05, Abbas Naderi wrote:
>> They all are, the problem is, they are all trusted the same by the browser, regardless of whether you pay $5 a year for your certificate to be signed, or a thousand times that amount.
>> -A
>> On Dec 26, 2013, at 3:57 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>> 
>>> Isn't that the whole point of certificate authority to be considered a trustworthy signer?
>>> On 12/26/13, 12:49 PM, Abbas Naderi wrote:
>>>> There is no such thing as the legitimacy of the signer. As long as someone trusted has signed a certificate, that one is deemed trusted too.
>>>> -A
>>>> On Dec 26, 2013, at 3:36 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>>>> 
>>>>> Problem is browser should by default check the legitimacy of the signer, if it loaded into the CA-certs bundle in mozilla, majority besides akamia will show no difference. Well this trick isn't for governments anymore, it's for everybody.  :)
>>>>> On 12/26/13, 12:26 PM, Abbas Naderi wrote:
>>>>>> Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
>>>>>> This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/f1ba2354/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131229/f1ba2354/attachment.bin>


More information about the OWASP-Leaders mailing list