[Owasp-leaders] Fake SSL Certs flood market

Erlend Oftedal erlend.oftedal at owasp.org
Sat Feb 15 00:05:19 UTC 2014


As the article says, mobile apps frequently lack proper certificate
handling. Those will fail silently and happily accept any certificate
with the right CN

Best regards,
Erlend
Fra: Jim Manico
Sendt: 14.02.2014 23:46
Til: Gregory Disney
Kopi: owasp-leaders at lists.owasp.org
Emne: Re: [Owasp-leaders] Fake SSL Certs flood market
These fake certs are not signed by a CA. Although bad, browsers will
give strong warnings that these are fraudulent. Cert pinning is not
even necessary here, standard CA verification is all that is needed.
Anyone can create a fake cert like this in two minutes. Why is this
new?

--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 14, 2014, at 11:27 PM, Gregory Disney <gregory.disney at owasp.org> wrote:
>
> http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list