On Wed, Oct 10, 2012 at 1:34 PM, <[email protected]> wrote: > I want to find common improper usages of OpenSSL library for SSL/TLS. > > Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, > probably, but would prefer information to the first point rather than > its complement. > -- > http://www.subspacefield.org/~travis/ > Any sufficiently advanced magic is indistinguishable from reality. Well, I just saw a new one: pinning a CA. http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html.
They also failed open (rather than closed) on hostname verification. Sigh.... Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
