Bugtraq mailing list archives
Re: Use of Akamai hosts to circumvent SSL server authentica
From: "John A. Lauro" <jlauro () UMICH EDU>
Date: Thu, 19 Oct 2000 14:56:47 EDT
This problem is not unique to Akamai or Verisign. There are probably many other sites which unintentionally proxy SSL in this manner. Akamai just happens to be a very large instance. Any SSL Web server that transparently proxies arbitrary SSL connections by re-wrapping requests is vulnerable.
Any such certificate would put Akamai (or whoever is proxying it) as the content owner if you view the certificate. That is no less insecure or less easy to do then putting a page up on a completely unrelated secure site... How many people actually veiw the certificate to see who it was issued to, and verify it is who they think it should be??? Generally all that little lock gets you is a little bit of encryption over public nets... Not that most users would know this if given a link in a chat room, but... Akamai rarely serves html pages, especially if they contain dynamic data.... (Partly because they cann't help with dynamic data, partly because companies want their own domain name in all the links). Akamai mostly just stores images... So the start of the link with akamai in the front would be as much of a clue as you would get if someone created their own paper company and obtained a certificate for it, and I am sure they could make the URL and hostname a lot more convincing.... --------------------------------------------------------------------------- John Lauro email: jlauro () flint umich edu University of Michigan - Flint jlauro () umich edu Information Technology Services 303 E. Kearsley St. phone: (810) 762-3123 Flint, MI 48502 fax: (810) 766-6805
Current thread:
- Re: Use of Akamai hosts to circumvent SSL server authentica John A. Lauro (Oct 19)