I figured this presentation might be of interest to this list:
It seems they found 5 (unspecified) public CAs out of 17 tested were
vulnerable to this attack, which can be performed by an off-path attacker.
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote:
>>> 1. HTTP
>>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no
>>> 3. HTTPS
> You're not wrong that (2) is better than (1). It's also indistinguishable
> from a downgrade attack from (3).
On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote:
Martin Heaps via dev-security-policy
This topic is frustrating in that there seems to be a wide attempt by people
to use one form of authentication (DV TLS) to verify another form
Mail list logo