[RndTbl] Google certificates suborned

Tim Lavoie tim at fractaldragon.net
Tue Dec 10 09:02:39 CST 2013


On 12/9/2013, 9:34 PM, Adam Thompson wrote:
> Well, that's just lovely:
>
> http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html
>
>
Awesome, though it does help highlight the issue of SSL/TLS structural
weakness. It doesn't need anything that fancy if you control the clients
either of course, as the ability to MITM traffic is a built-in feature
in lots of devices.

On the other hand, I have appreciated the visibility I get from the
Perspectives plug-in for Firefox. It basically asks other systems for
the certificates they see, and highlights any (sometimes valid)
discrepancies. If you want to see it squawk, connect to one of those
hotspots that hijacks your first browser request to log in using an
HTTPS site.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 947 bytes
Desc: OpenPGP digital signature
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20131210/95121048/attachment.sig>


More information about the Roundtable mailing list