ESSL exploit: http://www.eweek.com/c/a/Security/Security-Researchers-Exploit-Vulnerability-in-Handling-of-EV-SSL-Certificates ~~ F.Y.I. (OT)
gerry_lowry (alliston ontario canada (705) 250-0112)
gerry.lowry at abilitybusinesscomputerservices.com
Tue Jul 14 16:16:48 CEST 2009
http://www.eweek.com/c/a/Security/Security-Researchers-Exploit-Vulnerability-in-Handling-of-EV-SSL-Certificates
VERY SCARY; public wireless is especially very vulnerable.
"Imagine you have a user who is on a public Wi-Fi access point at a café, and he's logging into his bank account and his bank uses
EV SSL," Zusman said. "So he logs in, he sees that green glow and he assumes that because he sees that green glow he's secure [and]
everything is fine. But just next to him is an attacker who's either compromised that wireless network or has set up a rogue access
point to trick the victim into connecting to it and now he serves as a man in the middle."
This article leads me to revise my conclusion to my earlier week of research into SSL certificates.
"The vulnerability in the way browsers treat EV SSL certificates makes them no more valuable than the cheapest SSL certificate, the
researchers say."
g.
More information about the Gnupg-users
mailing list