Full Disclosure mailing list archives
Re: Five Ways to Screw Up SSL
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Mon, 22 May 2006 08:56:23 -0400
Why would it matter who signed it? As long as the data is encrypted as it travels over the internet, I am happy.
Because encrypted is only half the battle. Trusting that $entity is really $entity is the other half.
Most end-users aren't smart enough to verify that when they hit https://www.chase.com (or whatever) that the other end really *is* Chase -- that's what they pay Verisign for -- because we have at least *some* faith that Verisign took the time to ensure they issued it to the right person.
Nevermind that certificates get issued to things like chase-inc.com and the wrong people. That's another problem.
/mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Five Ways to Screw Up SSL, (continued)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 21)
- Re[2]: Five Ways to Screw Up SSL Thierry Zoller (May 21)
- Re: Re[2]: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Valdis . Kletnieks (May 22)
- Re: Five Ways to Screw Up SSL Brian Dessent (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Brian Eaton (May 23)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)