[RndTbl] significant SSL certificate screw-up
Adam Thompson
athompso at athompso.net
Thu Mar 24 16:50:34 CDT 2011
FYI…
http://www.publicsafety.gc.ca/prg/em/ccirc/2011/av11-025-eng.aspx
Basically, Comodo re-issued certificates for several popular web sites to someone posing as Microsoft, as Yahoo, as Google, etc… so there is now a possibility that even if you’ve connected using SSL/TLS ton a site like https://login.live.com, if someone has managed to redirect your browser (using DNS attacks, say), even if you check the SSL certificate and it looks right, it might be not be legitimate anyway.
Microsoft, Google, and the Mozilla Foundation have all released updates for their browsers that explicitly black-list the affected certificates; if you’re doing any computing in a high-assurance environment and would ever rely on any of these certificates for any reason, you should consider black-listing them in your software.
-Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20110324/aabecc08/attachment.html
More information about the Roundtable
mailing list