[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] TLS servers with overbroad certificates may mishandle diverted connections
- To: Matt McCutchen <matt@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] TLS servers with overbroad certificates may mishandle diverted connections
- From: Florian Weimer <fweimer@xxxxxx>
- Date: Tue, 15 Mar 2011 07:37:01 +0000
* Matt McCutchen:
> To test a server, simply view its certificate, choose a DNS name for
> which the certificate is valid but for which the server is not listed in
> DNS, and map that name to the server in your hosts file.
So you need a certificate to make this work. This is out of scope of
what TLS protects against. If you've got a breach on the X.509 side
of things, TLS won't help you (if you rely on X.509 certificates).
> An HTTP redirect to a non-TLS site is bad: if it happens on a request
> for a JavaScript file, the attacker can now inject malicious code.
I agree that this can be a problem, but it is not a protocol issue.
It's a server-side misconfiguration, combined with a certificate that
was inappropriately acquired or shared.
--
Florian Weimer <fweimer@xxxxxx>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/