Submission + - Disclosure: No-check SSL Certificates... (startcom.org) 4
StartCom writes: "In a previous article I reported about Man-In-The-Middle (MITM) attacks and if they really happen. Unfortunately it does happen as some testimonials confirm. Now it's even easier because in the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and fully trusted certificate? No problem, just head over to one of Comodo's resellers.
And here the disclosure: In order to confirm for yourself, edit the hosts file at your computer and add the following entry:
And here the disclosure: In order to confirm for yourself, edit the hosts file at your computer and add the following entry:
- 192.116.242.23 www.mozilla.com
- 192.116.242.23 mozilla.com
Navigate with your browser to https://www.mozilla.com/ and enjoy Mozilla's new home page.
Otherwise read the article which includes screen shots.
Lemons. (Score:2)
The CA system supported by modern browsers is fundamentally broken. The people being protected (end-users) are not the people buying the service (site owners). The people providing the service (CAs) can't individually protect anyone, because any other CA with poorer verification practices can make useless the service provided by the first CA.
A notary system is better... the end-user pays for access to a notary system (or it comes with their browser, or they can use a free/p2p/etc one). They ask the notary w
Re: (Score:1)
Re: (Score:2)
According to the work done over at Mozilla, this shouldn't happen.
Yes, but that requires active enforcement against the economic incentives inherent in the system, which makes it fragile and IMO unreliable.
Re: (Score:1)