Re: [fw-wiz] Firewall best practices

lordchariot said in part:

... but can you imagine
if a nefarious CA got embedded into the browser?

Meh, it actually probably wouldn't make much difference anyway. Users are
just going to click OK anyway to bypass the warning...sigh.


Capture some packets when using IE when it finds a web site using a
certificate whose entire certification path is not included in the local
machine account's "Trusted Root Certification Authorities". What happens is
both enlightening and frightening when this occurs with the wrong

I chose not to elaborate on the consequences. I share erik's "sigh".

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

firewall-wizards mailing list

Relevant Pages

  • RE: Checkpoint smart defance as IPS
    ... the browser trusts all certificate authorities ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ...
  • RE: Checkpoint smart defance as IPS
    ... you claim that SSL/TLS can be intercepted and MITM is ... social engineering and not MITM or interception for that matter. ... don't have private key for the certificate on that website. ... You claimed that browser only checks for domain name ...
  • Re: How to starthandshake with client browser??
    ... >> And then what should i do to handshake with browser? ... > getting the browser to trust your certificate. ... 1-Open an SSL server Socket ... 2-Wait for a connection (from your client web browser). ...
  • Re: username and Password sent as clear text strings
    ... I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning. ... I completed a security review of a web server, ... Webscarab, like all intercepting web proxy programs I've used on ...
  • Re: Outlook Web Access / Remote Web Workplace
    ... I am unsure how the certificate process works, ... with what you type into the browser as that is the ... satisfied it is the one you expect to see, and if you install it, the ... generally the more dubious web sites which use only IP addresses, ...