Re: [Full-Disclosure] VerySign Class 1 Authority - bogus SSL certificate?

From: Nicola Del Vacchio (nicola_at_delvacchio.it)
Date: 06/02/04

  • Next message: Thierry Carrez: "[Full-Disclosure] ERRATA: [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included libneon" 
    To: Valdis.Kletnieks@vt.edu
Date: Wed, 02 Jun 2004 19:26:58 +0200

    it seems to me the fake certificates that a tool like ettercap iussues.

    compare whith this (fake) verificate.

    cheers
    nicola del vacchio
    security consultant
    genova italy
    nicola@delvacchio.it

    Il mer, 2004-06-02 alle 18:45, Valdis.Kletnieks@vt.edu ha scritto:
    > On Wed, 02 Jun 2004 07:39:31 +0930, Chris van der Pennen <chris@sw.gotdns.org> said:
    > > I've been getting SSL certificates from various websites recently that are
    > > apparently from a "VerySign Class 1 Authority" - note the 'y' in VerySign.
    > > The certificate expired 6 December 2002.
    >
    > > The data in Issued To and Issued By are identical.
    >
    > > This smells very much like an SSL hijack attempt - can anyone shed some
    > > light on the situation?
    >
    > Or some webserver package that builds a self-signed certificate so SSL works
    > without having to pay Verisign, and does so in a "cute" manner that users are
    > likely to accept the cert without thinking about it. It's probably NOT a hijack
    > attempt unless you have *OTHER* evidence of that (phishy-looking redirect
    > javascript on the page, etc....)
    >
    > Given how little *real* security a signed cert creates, it's probably not worth
    > worrying about.
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Thierry Carrez: "[Full-Disclosure] ERRATA: [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included libneon"

    Relevant Pages

    • Re: Certificate Authority
      ... of them was that I can use their SSL certificates to secure our email system. ... difference is that any users that do not trust your CA server (no one will ... That is the difference between VeriSign (and other ...
      (microsoft.public.windows.server.general)
    • Re: Certificate Authority
      ... of them was that I can use their SSL certificates to secure our email system. ... difference is that any users that do not trust your CA server (no one will ... That is the difference between VeriSign (and other ...
      (microsoft.public.windows.server.general)
    • Re: Certificate Authority
      ... of them was that I can use their SSL certificates to secure our email system. ... difference is that any users that do not trust your CA server (no one will ... That is the difference between VeriSign (and other ...
      (microsoft.public.windows.server.general)
    • Re: Certificate Authority
      ... of them was that I can use their SSL certificates to secure our email system. ... difference is that any users that do not trust your CA server (no one will ... That is the difference between VeriSign (and other ...
      (microsoft.public.windows.server.general)
    • Re: Certificate Authority
      ... of them was that I can use their SSL certificates to secure our email system. ... difference is that any users that do not trust your CA server (no one will ... That is the difference between VeriSign (and other ...
      (microsoft.public.windows.server.general)