[cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users

Jon Callas jon at callas.org
Thu Jan 8 18:57:08 EST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On Jan 8, 2015, at 3:37 PM, John Levine <johnl at iecc.com> wrote:

> 
> Do the fake certs validate in web browsers?  


No, they do not validate.

If you go (went) to a Youtube, Vimeo, etc. site, URL, embedded whatever, you'd get the expected browser cert failure error.


> If so, who's giving them fake
> *.google.com certs?

I apologize for being a smartass on this, especially since the premise of your conditional is false. But I just can't resist; please take this with the humor I offer it with:

https://www.google.com/search?q=how+do+I+use+openssl+to+generate+a+certificate

	Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBVK8ZcvD9H+HfsTZWAQhklQf+PFg6a0O6ap3ewKH4hLMz2vGaoDC3d+Ye
HN5LYlvjdQsHqYgizc9QFHdT0/y9ZdWcpS99heaUeYPaGsMxoEId+WfCMfpUj6UD
683KSegfPq+lGev3MHaX6t0Eq0j+VojFuBdRHQ3HyRrnuNgT8yxfs9jnpQS/2AKh
EBbuxS4hB5Ar8pwJdHTjgxjjqqLif0ouhL+GFsWUbAq6RsEIVowcoSNXqzgeRPkr
1b25hk2MlebkZssr7L6PGfNKr6cpDccUCjIdXBBMsG/C7ZLg5W0oqQCiirsOYOk6
Kt2gKL/cDDEezdcbSn9cFtklI35RLXJoM3Oty/iEVzXYuibaHcyqiQ==
=6PT0
-----END PGP SIGNATURE-----


More information about the cryptography mailing list