RE: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 06/02/04

  • Next message: Noam Rathaus: "Re: [Full-Disclosure] Firebird Database Remote Database Name Overflow" 
    To: "Chris van der Pennen" <chris@sw.gotdns.org>, <full-disclosure@lists.netsys.com>
Date: Wed, 2 Jun 2004 08:57:51 +0530

    > I've been getting SSL certificates from various websites recently that are
    > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
    > The certificate expired 6 December 2002.

    this is a valid attempt
     
    > The data in Issued To and Issued By are identical.

    no big deal in this type of cert these certs can be created by anyone, except that verisign cert would not have been accepted by the browser, that is why we have trusted Certifacate authorities which do the validation of the certs.

    > This smells very much like an SSL hijack attempt - can anyone shed some
    > light on the situation?

    if this is your site, please revoke the cert and make a new one or if u know the site owner please alert the site owner as well as versisign

    -aditya

    ________________________________________________________________________
    Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Noam Rathaus: "Re: [Full-Disclosure] Firebird Database Remote Database Name Overflow"

    Relevant Pages

    • Re: Wachovias web page security
      ... >> of the cert if you didn't try to impersonate someone else with it. ... SSL certificates are just a waste of time. ... you're connected to the web site you think you are. ...
      (misc.consumers)
    • Re: Exchange 2007 and Outlook Anywhere
      ... Exchange 2007 and SSL Certificates ... single domain SSL cert work for Outlook anywhere or do I have to have a SAN ... HTTPS to HTTP ...
      (microsoft.public.exchange.admin)
    • ISA 2006 single NIC with two SSL certs
      ... I have ISA 2006 in the DMZ with a single NIC. ... it possible to bind two SSL certificates to this machine. ... internal(CA cert) cert talking to exchange named? ...
      (microsoft.public.isa)
    • Re: Wachovias web page security
      ... > Whether or not you have a SSL certificate, if you do the crime, expect ... And I don't see why you'd have MORE litigation because ... > of the cert if you didn't try to impersonate someone else with it. ... SSL certificates are just a waste of time. ...
      (misc.consumers)
    • Re: SSL and multiple websites
      ... you can use wildcards in the cert, such as *.mycompany.com, but then it's up ... to the browser to respect the wildcards. ... This posting is provided "AS IS" with no warranties, ... > I obtain 1 SSL cert and installed on both websites (they ...
      (microsoft.public.inetserver.iis.security)