Hello,
I've found a vulnerability in current Mozilla releases in the certificate handling: One specially crafted email can be used to exclude the emails' recipients from HTTPS-Connections using eg. a thawte-signed cert, no user interaction is needed nor warnings shown. The vulnerability is not only exploitable by email but also by specially prepared web pages. The exploit is possible to all the certificates stored in the built-in certificate store.
The vulnerabilities have been reported to mozilla.org, as well as some linux distributors including the Mozilla browser; until now there has been no reaction.
See the details on https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186 and on http://bugzilla.mozilla.org/show_bug.cgi?id=249004, as well as on my diploma thesis project page that can be found on https://banquo.inf.ethz.ch:8080/.
I'm looking forward to hearing from you.
Yours sincerely,
Marcel Boesch _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
