Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Hector Martin via dev-security-policy
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote: >>> 1. HTTP >>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no >>> validation) >>> 3. HTTPS > > You're not wrong that (2) is better than (1). It's also indistinguishable > from a downgrade attack from (3). But

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread Hector Martin via dev-security-policy
On 28/03/17 08:23, Peter Gutmann via dev-security-policy wrote: Martin Heaps via dev-security-policy writes: This topic is frustrating in that there seems to be a wide attempt by people to use one form of authentication (DV TLS) to verify another form

DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Hector Martin via dev-security-policy
I figured this presentation might be of interest to this list: https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf It seems they found 5 (unspecified) public CAs out of 17 tested were vulnerable to this attack, which can be performed by an off-path attacker.