Re: AW: IE https certificate attack

From: Ben Laurie (benat_private)
Date: Sun Jan 06 2002 - 12:25:50 PST

Next message: David Miller: "Re: Security Advisory for Bugzilla v2.15 (cvs20020103) and older"

Previous message: Lance Hitchcock Jr.: "Internet Explorer Javascript Modeless Popup Local Denial of Service Vulnerability"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

K.J.Muellerat_private wrote:
> 
> Hi,
> 
> could it be, that the text-browsers (lynx, links, w3m) don't even
> bother comparing the actual server name to the certificate's
> "issued for" entry?
> 
> I just tested these and none complained:
> 
> - lynx 2.8.5dev.2 (with OpenSSL 0.9.6a)
> - links 0.96
> - w3m 0.1.11-pre
> (all on Mandrake Linux 8.1)
> 
> Neither did any of them complain when accessing a https web page
> with a self-made certificate.

They shouldn't complain about the server name (at least, not if its
right) with a self-made cert. However, they should complain about the
cert not using a trusted CA.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Next message: David Miller: "Re: Security Advisory for Bugzilla v2.15 (cvs20020103) and older"
Previous message: Lance Hitchcock Jr.: "Internet Explorer Javascript Modeless Popup Local Denial of Service Vulnerability"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 01:29:24 PST