Re: Re[2]: [Full-disclosure] Five Ways to Screw Up SSL



On 5/21/06, Thierry Zoller <Thierry@xxxxxxxxx> wrote:
Dear Dude VanWinkle,

DV> Why would it matter who signed it? As long as the data is encrypted as
DV> it travels over the internet, I am happy.
Why would it matter who signed it? I am happy to handle the ssl
handshake mitm for you. All your encrypted data is belong to me.

I was referring to the CA that signs it. It was implied that
freessl.com, who gives out trial certificates, is an unreliable CA. I
do not understand why their certs would be any less valid than
anothers.

As long as the website listed on the cert is the website you are
visiting, why should it matter who issued the cert?

-JP


--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Life After CISSP?
    ... It's not a matter of knowing the right answer...it's a matter of knowing the answer that ISC^2 wants you to know. ... On a side note, in the interviews I've gone through for positions that required a CISSP, I have not once been asked to provide proof. ... I have voluntarily shown my card, but I have never been asked for so much as my cert number. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
    (Security-Basics)
  • Re: Zimmermann develops new secure VoIP software
    ... [e.g. hash digest printed on a business card] ... and look up his cert ... The problem is that Joe Sixpack will never be able to do this. ... deal with it (no matter what system you decide to go with). ...
    (sci.crypt)
  • Re: [Full-disclosure] Vunerability in yahoo webmail.
    ... Since the source code is open to everyone now, it is just a matter of ... time for someone to redesign it and make it work Yahoo Beta as well. ... Full-Disclosure - We believe in it. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: How to delete root certs for Chrome under Linux?
    ... Company A's signature on company B's cert isn't supposed to mean company ... they all had valid certs it wouldn't matter. ... The real security risk with the internet is that we have to keep ... if I sent a website my CC# over TLS if all they do is backup the DB ...
    (sci.crypt)
  • Re: Lighten WinXP ?
    ... matter. ... "32 Secunia Advisories in 2003-2007" ... What a surprise - 3 years after product stopped shipping and a few million ... less internet users there are fewer advisories. ...
    (microsoft.public.windowsxp.general)