A link to a news on SSL
in [Cryptography]
|
From: Mok-Kong Shen on 25 Mar 2010 10:26 http://www.wired.com/threatlevel/2010/03/packet-forensics/
From: Tom St Denis on 25 Mar 2010 12:27 On Mar 25, 10:26 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > http://www.wired.com/threatlevel/2010/03/packet-forensics/ The device exploits the \0 attack where people get certs for things like gmail.google.com\0fakedomain.com with old SSL/TLS libraries that do a "strcmp" instead of a memcmp it will stop at the \0 and not realize the certificates don't match. All browsers have been patched as far as I know to not be vulnerable to this. Tom
From: mike clark on 25 Mar 2010 12:39 On Mar 25, 8:26 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > http://www.wired.com/threatlevel/2010/03/packet-forensics/ From the article Users have the ability to import a copy of any legitimate key they obtain (potentially by court order)..." Have there been any court cases where this has happened? My guess is that the rest of that sentence is more likely what will happen "...or they can generate look-alike keys designed to give the subject a false sense of confidence in its authenticity. Users are the weakest link, right? Either way, I'm still using SSL.
From: Mok-Kong Shen on 26 Mar 2010 05:42 A related link: http://www.crypto.com/blog/spycerts
From: Noob on 26 Mar 2010 06:42
mike clark wrote: > From the article "Users have the ability to import a copy of any > legitimate key they obtain (potentially by court order)..." Have there > been any court cases where this has happened? > > My guess is that the rest of that sentence is more likely what will > happen "... or they can generate 'look-alike' keys designed to give the > subject a false sense of confidence in its authenticity." Users are > the weakest link, right? cf. also via http://lwn.net/Articles/380140/ Matt Blaze's(*) take on the subject: http://www.crypto.com/blog/spycerts/ (*) http://en.wikipedia.org/wiki/Matt_Blaze Regards. |