Perfect MITM Attacks With No-Check SSL Certs - Slashdot

Follow Slashdot blog updates by subscribing to our blog RSS feed

×

Perfect MITM Attacks With No-Check SSL Certs 300

Posted by kdawson on Tuesday December 23, 2008 @09:07AM from the stuck-in-the-middle-with-you dept.

StartCom writes "In a previous article I reported about Man-In-The-Middle attacks and spotlighted an example showing that they really happen. MITM attacks just got easier. In the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and a fully trusted certificate? No problem, just head over to one of Comodo's resellers. Screenshots and disclosure provided at the link."

This discussion has been archived. No new comments can be posted.

Perfect MITM Attacks With No-Check SSL Certs

Search 300 Comments Log In/Create an Account

Comments Filter:

Really now. (Score:5, Funny)

by cp.tar ( 871488 ) writes: <cp.tar.bz2@gmail.com> on Tuesday December 23, 2008 @09:21AM (#26210667) Journal

The example cited is "RESOLVED INVALID". The link to the "perfect attack" seems to be slashdotted. And at the time I started writing this comment, there have been no comments whatsoever.
Does this mean that Slashdotters have all swarmed the link trying to find out how to execute the perfect attack? Are we seeing a new trend here, with people actually reading TFAs?
Or is it that too many people have Greasemonkey scripts filtering out kdawson's posts?

Share
twitter facebook
Looks like DDOS beats all (Score:3, Funny)

by 00_NOP ( 559413 ) writes: on Tuesday December 23, 2008 @09:22AM (#26210673) Homepage

It had "0" comments when I started and I still could not RTFA

Share
twitter facebook
Re:Really now. (Score:5, Funny)

by ghmh ( 73679 ) writes: on Tuesday December 23, 2008 @09:26AM (#26210711)

Apparently the perfect attack is actually 'Slashdot in the Middle'

Parent Share
twitter facebook
Re:Don't do this at home (Score:3, Funny)

by Anonymous Coward writes: on Tuesday December 23, 2008 @10:32AM (#26211233)

I have a much bigger concern. Who certifies those who certify the certifiers?

Parent Share
twitter facebook
Re:Don't do this at home (Score:2, Funny)

by gomiam ( 587421 ) writes: on Tuesday December 23, 2008 @10:59AM (#26211481)

...your local psychiatrist?

Parent Share
twitter facebook
Re:Don't do this at home (Score:2, Funny)

by ScreamingCactus ( 1230848 ) writes: on Tuesday December 23, 2008 @11:02AM (#26211503)

Simple. We give the MITM attackers the power to certify the certifiers. That way we have a system of checks and balances.

Parent Share
twitter facebook
Re:Don't do this at home (Score:3, Funny)

by kabloom ( 755503 ) writes: on Tuesday December 23, 2008 @01:12PM (#26213019) Homepage

Nobody. They don't have an HTTPS site.

Parent Share
twitter facebook
Re:OK, which CA must leave the trusted list? (Score:3, Funny)

by dubbreak ( 623656 ) writes: on Tuesday December 23, 2008 @01:47PM (#26213505)

but yes, I think making and enforcing standards for CAs is a good role for the government.

Which "the government" are you talking about here? ...
I nominate Canada. They seem to be a respected world power. Everyone will be willing to listen to them.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight