On Mon, Mar 14, 2011 at 6:43 AM, coderman <[email protected]> wrote: > On Sun, Mar 13, 2011 at 7:31 PM, Matt McCutchen <[email protected]> > wrote: >> If I make a TLS connection to example.com, a MITM attacker can divert >> the connection to any server that bears a certificate valid for >> example.com, ... especially likely to arise with wildcard certificates. >> ... >> I plan to release an automated testing >> tool, but I decided to go ahead and publicize the issue first. > > ... > > p.s. marsh ray: wildcard certs are a useful tool when properly applied. > (though i admit most won't use them properly. par for the crypto course...) Its always nice when the reception's machine in the lobby is trusted to act as a web server and serve content.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
