[cryptography] This is bad. THis is really bad. (Isn't it?)

Dave Howe davehowe.pentesting at gmail.com
Wed Nov 25 07:23:22 EST 2015


On 23/11/2015 22:33, rvh40 at insightbb.com wrote:
> UPDATE: I've been reading that a lot of people are skeptical in the
> sense that this CA can't actually do anything because the CA has no
> capabilities. I did some more research and found out that this CA can
> indeed sign server certificates. I've updated the list of files above
> to include a certificate issued by the CA with file name
> "badgoogle.crt", which you can also see in this screenshot. For those
> that are unfamiliar with how this works, a network attacker could use
> this CA do sign his or her own fake certificates for use on real
> websites and an affected Dell user would be none the wiser unless
> they happened to check the website's certificate chain. This CA could
> also be used to sign code to run on people's machines, but I haven't
> tested this out yet.

Worth noting also that a deliberate exception is made to certificate
pinning by chrome/IE where there are locally added roots  - so if you
use this to issue a cert for a pinned site, it will still be accepted :(


More information about the cryptography mailing list