Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: TLS servers with overbroad certificates may mishandle diverted connections
From: Florian Weimer <fweimer () bfk de>
Date: Tue, 15 Mar 2011 07:37:01 +0000

* Matt McCutchen:

To test a server, simply view its certificate, choose a DNS name for
which the certificate is valid but for which the server is not listed in
DNS, and map that name to the server in your hosts file.

So you need a certificate to make this work.  This is out of scope of
what TLS protects against.  If you've got a breach on the X.509 side
of things, TLS won't help you (if you rely on X.509 certificates).

An HTTP redirect to a non-TLS site is bad: if it happens on a request
for a JavaScript file, the attacker can now inject malicious code.

I agree that this can be a problem, but it is not a protocol issue.
It's a server-side misconfiguration, combined with a certificate that
was inappropriately acquired or shared.

Florian Weimer                <fweimer () bfk de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra├če 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]