Perfect MITM attack with valid SSL Certs

coderman coderman at gmail.com
Tue Dec 23 22:00:49 UTC 2008


On Tue, Dec 23, 2008 at 8:47 AM, Roc Admin <onionroutor at gmail.com> wrote:
> ... receive a completely valid certificate for a random domain
> of his choosing without any questions or verification.
> ... the browser pre-trusted certificate authorities
> really needs to be cleaned up.

this is why i am fond of the petname toolbar to identify server
certificates using local trust information rather than assuming any
cert signed by any of the dozens of random CA's bundled with Firefox
is legit:
  https://addons.mozilla.org/en-US/firefox/addon/957

for other applications that use system or application CA certificate
stores you've got fewer options.  if you're really concerned you can
extract the few roots you trust into a new certificate store and tell
the app in question to validate against those CA's only.

supposedly extended validation certs will restore trust in the PKI
hierarchy, but i'm not holding my breath...  *grin*

best regards,



More information about the tor-talk mailing list