Re: AW: IE https certificate attack

From: Florian Weimer (Weimerat_private-Stuttgart.DE)
Date: Sun Jan 06 2002 - 00:04:23 PST

Next message: Helmut Springer: "Re: IE https certificate attack"

Previous message: IT Resource Center : "HP Secure OS Software for Linux security bulletins digest"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Next in thread: Helmut Springer: "Re: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

K.J.Muellerat_private writes:

> could it be, that the text-browsers (lynx, links, w3m) don't even
> bother comparing the actual server name to the certificate's 
> "issued for" entry?

Some of them don't even have a repository of Root CAs, I think.

> Neither did any of them complain when accessing a https web page
> with a self-made certificate.

So they can't check the validity of the certificate at all.

-- 
Florian Weimer 	                  Weimerat_private-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Next message: Helmut Springer: "Re: IE https certificate attack"
Previous message: IT Resource Center : "HP Secure OS Software for Linux security bulletins digest"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Next in thread: Helmut Springer: "Re: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 01:10:41 PST