I figured this presentation might be of interest to this list:
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf
It seems they found 5 (unspecified) public CAs out of 17 tested were
vulnerable to this attack, which can be performed by an off-path attacker.
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote:
>>> 1. HTTP
>>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no
>>> validation)
>>> 3. HTTPS
>
> You're not wrong that (2) is better than (1). It's also indistinguishable
> from a downgrade attack from (3).
But
On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote:
Martin Heaps via dev-security-policy
writes:
This topic is frustrating in that there seems to be a wide attempt by people
to use one form of authentication (DV TLS) to verify another form
3 matches
Mail list logo