Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?

Valdis.Kletnieks_at_vt.edu
Date: 06/02/04

  • Next message: Nicola Del Vacchio: "Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?" 
    To: Chris van der Pennen <chris@sw.gotdns.org>
Date: Wed, 02 Jun 2004 12:45:09 -0400

    On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen <chris@sw.gotdns.org> said:
    > I've been getting SSL certificates from various websites recently that are
    > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
    > The certificate expired 6 December 2002.

    > The data in Issued To and Issued By are identical.

    > This smells very much like an SSL hijack attempt - can anyone shed some
    > light on the situation?

    Or some webserver package that builds a self-signed certificate so SSL works
    without having to pay Verisign, and does so in a "cute" manner that users are
    likely to accept the cert without thinking about it. It's probably NOT a hijack
    attempt unless you have *OTHER* evidence of that (phishy-looking redirect
    javascript on the page, etc....)

    Given how little *real* security a signed cert creates, it's probably not worth
    worrying about.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Nicola Del Vacchio: "Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?"
    • Quantcast