They could use/generate on the fly self-signed for that as well. On Mon, Feb 06, 2012 at 01:08:33PM -0800, Chris Palmer wrote: > On 2012-02-06 23:52, ArkanoiD wrote: > > > Wait.. It is signed for just one FQDN, what is the point of using it for > > MITM? > > The attackers/network operators know/hope that users will just click through > any warning. It doesn't have to be a valid cert for the name to function as > a successful MITM attack tool. And some clients will blindly accept any > certificate without warning the user at all. > > This is why we need hard-fail for wrong certificates, such as the preloaded > or dynamic pins provide, for all protocols (not just HTTPS). > > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > >
- [SSL Observatory] https://controller.mobile.lan Jacob Appelbaum
- Re: [SSL Observatory] https://controller.mobile.l... ArkanoiD
- Re: [SSL Observatory] https://controller.mobi... Chris Palmer
- Re: [SSL Observatory] https://controller.... ArkanoiD
- Re: [SSL Observatory] https://control... Ralph Holz
- Re: [SSL Observatory] https://controller.mobile.l... Daniel Kahn Gillmor
- Re: [SSL Observatory] https://controller.mobi... Dean Coclin
- Re: [SSL Observatory] https://controller.... Brian Keefer
- Re: [SSL Observatory] https://controller.mobi... Jacob Appelbaum
- Re: [SSL Observatory] https://controller.... Tom Ritter
- Re: [SSL Observatory] https://controller.... Erwann ABALEA
- Re: [SSL Observatory] https://control... Jacob Appelbaum
- Re: [SSL Observatory] https://co... Erwann ABALEA
- Re: [SSL Observatory] https://controller.mobile.l... Ralph Holz
