[svlug] FYI for all those who don't read slashdot

Michael Eager eager at eagercon.com
Tue Nov 18 17:23:13 PST 2014


On 11/18/14 15:28, Marc MERLIN wrote:
> On Tue, Nov 18, 2014 at 12:50:38PM -0800, Michael Eager wrote:
>> On 11/18/14 12:19, Josef Grosch wrote:
>>> http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate-authority-to-encrypt-the-entire-web
>>>
>>> https://letsencrypt.org/
>>
>> While I think that most things that the EFF does are good,
>> I'm not so sure about this.  There are significant flaws
>> in the Certificate Authority model (see recent IEEE Software
>> article, I believe).
>>
>> If anyone can obtain a certificate using an automated method,
>> what is it certifying?  That someone obtained it using a cheap
>> automated server?  Yes.  That the certificate is for who it
>> claims to represent?  I'm not so sure.
>
> Your point is valid, but even a self signed certificate adds some
> security by simply making the traffic not possible to snoop by others.
> An attacker now has to launch a man in the middle against you which is
> of course possible, but considerably more effort than just listening
> passively.

Another exploit is for someone to get a certificate for
MacysCalif.com and publish a website resembling the real Macy's
website.  Everything looks OK to the user, the little padlock is locked,
and all traffic is encrypted.  Except it isn't going to the real Macy's,
but to the fraudulent one.  Who likely will pass it along to the
real Macy's, harvesting the userid/password.  Or simply redirecting
and getting out of the middle, after harvesting user credentials.

-- 
Michael Eager	 eager at eagercon.com
1960 Park Blvd., Palo Alto, CA 94306  650-325-8077




More information about the svlug mailing list