On 23/11/2015 22:33, rv...@insightbb.com wrote: > UPDATE: I've been reading that a lot of people are skeptical in the > sense that this CA can't actually do anything because the CA has no > capabilities. I did some more research and found out that this CA can > indeed sign server certificates. I've updated the list of files above > to include a certificate issued by the CA with file name > "badgoogle.crt", which you can also see in this screenshot. For those > that are unfamiliar with how this works, a network attacker could use > this CA do sign his or her own fake certificates for use on real > websites and an affected Dell user would be none the wiser unless > they happened to check the website's certificate chain. This CA could > also be used to sign code to run on people's machines, but I haven't > tested this out yet.
Worth noting also that a deliberate exception is made to certificate pinning by chrome/IE where there are locally added roots - so if you use this to issue a cert for a pinned site, it will still be accepted :( _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography