In the wise words of Charles Miller:
Actually, the SSL vulnerability is a very predictable answer to an old
question. For a while now, one of the big what ifs of Internet
security has been What if one day, the SSL infrastructure is completely
compromised? The most common hypothetical example
On Fri, 2002-08-16 at 09:11, robert walker wrote:
A huge amount of infrastructure is managed remotely via
SSL and IE these days. It just boggles the mind the
extent to which the security integrity of that
infrastructure is now under a cloud unknowing.
Actually, the SSL vulnerability is a
In-Reply-To: [EMAIL PROTECTED]
Given my background in cryptographic programming,
it is difficult for me to imagine how the cause of this
alleged vulnerability could be explained as programmer
error or oversight. Yet I cannot fathom why MS would
purposely skip such a basic step.
I am
http://theregister.co.uk/content/4/26620.html
[]
I've not tested this on IE because several researchers posting to Benham's
BugTraq thread
(http://online.securityfocus.com/archive/1/286895/2002-08-08/2002-08-14/1)
have confirmed the behavior. But I did test it on Mozilla 0.9.4, which
On Wed, Aug 07, 2002 at 12:24:19PM -0700, Mike Benham wrote:
First of all, https://www.thoughtcrime.org is NOT the demo site. Several
people were confused by this email, and subsequently concluded that their
browser isn't vulnerable because they got an alert that the name on the
certificate
On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote:
However, there is a slightly more complicated scenario. Sometimes it is
convenient to delegate signing authority to more localized authorities.
In this case, the administrator of www.thoughtcrime.org would get a chain
of
I agree, this is really, really serious. If this is correct, I believe it is
one of the most serious vulnerabilities reported in a long time. People
trust SSL to protect their money, and this is a vulnerability where you
could easily attack thousands of users or go after the banks with a simple
On Thu, Aug 08, 2002 at 01:38:46PM +0200, Balazs Scheidler wrote:
On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote:
However, there is a slightly more complicated scenario. Sometimes it is
convenient to delegate signing authority to more localized authorities.
In this case,
Hi Mike and the list,
That is one side of an issue I have described in
http://online.securityfocus.com/archive/1/273101
http://online.securityfocus.com/archive/1/273101
I have to admit, your message captures attention much better than mine. All
for good, if that will be fixed.
The issue
On Wed, 7 Aug 2002, Alex Loots wrote:
Hi Mike,
I visited your demo at https://www.thoughtcrime.org. It appears that Thawte is
the TTP instead of Verisign. Does this make any difference for example the
certificate extensions?
First of all, https://www.thoughtcrime.org is NOT the demo site.
10 matches
Mail list logo
