[cryptography] yet another certificate MITM attack
iang at iang.org
Tue Jan 15 02:13:58 EST 2013
On 15/01/13 04:53 AM, dan at geer.org wrote:
>> Oh, I see. So basically they are breaking the implied promise of the
>> https component of the URL.
>> In words, if one sticks https at the front of the URL, we are
>> instructing the browser as our agent to connect securely with the server
>> using SSL, and to check the certs are in sync.
>> The browser is deciding it has a better idea, and is redirecting that
>> URL to a cloud server somewhere.
>> (I'm still just trying to understand the model. Yes, I'm surprised, I
>> had never previously heard of this.)
> Is it not now fair now to say that the client has become the server's
> server, and not just in the matter of which we are speaking here?
> Consider the shrinking proportion of the web that is available to
> If irrelevant, please forgive the diversion,
Indeed. Part of the problem is that the net has moved, and the CAs and
vendors have not really noticed. This is the fundamental flaw of
CABForum -- they have documented the technical SSL model to admirable
depth. It's just embarrassing that this is 2013 and that was so 1995.
What to do? Can't stop people living in the past. Just welcome the
people who are living in today?
What has surprised me a bit is that there has been no
More information about the cryptography