I am looking at a device that has an embedded OS that can be managed through an embedded web server. For some strange design reason the device has it's own CA server that issues itself a certificate and then verifies the issued certificate against itself.
There is a multitude of reason's why this is bad certificate management, but specifically I was trying to figure out a way to have the embedded CA issue a rouge certificate that I could be used on www.badperson.com as an SSL cert. Other than decompiling the firmware and using a hex editior does someone have any suggestions on doing this ? I thought it might be possible with a downgrade attack, but I am told that even if you do a downgrade attack to 40-bit encryption that only provides the 40-bit private key of the CA server. any help or suggestions would be greatly appreciated
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
