How to tell a fake SSL certificate from a real one

How to tell a fake SSL certificate from a real one
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to tell a fake SSL certificate from a real one Joan Battaglia 10-27-2007
Posted by Anne & Lynn Wheeler on November 3, 2007, 4:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> or old email from 1981 discussing pgp-like public key proposal
> http://www.garlic.com/~lynn/2006w.html#email810515

re:
http://www.garlic.com/~lynn/2007q.html#72 Value of SSL client certificates?
http://www.garlic.com/~lynn/2007q.html#73 Value of SSL client certificates?
http://www.garlic.com/~lynn/2007r.html#12 How to tell a fake SSL certificate
from a real one
http://www.garlic.com/~lynn/2007r.html#17 How to tell a fake SSL certificate
from a real one
http://www.garlic.com/~lynn/2007r.html#18 How to tell a fake SSL certificate
from a real one
http://www.garlic.com/~lynn/2007r.html#19 How to tell a fake SSL certificate
from a real one
http://www.garlic.com/~lynn/2007r.html#24 How to tell a fake SSL certificate
from a real one


from my RFC index
http://www.garlic.com/~lynn/rfcietff.htm

recent PGP RFCs

http://www.garlic.com/~lynn/rfcidx16.htm#5081

5081 E
Using OpenPGP Keys for Transport Layer Security (TLS) Authentication,
Mavrogiannopoulos N., 2007/11/02 (8pp) (.txt=15300) (Refs 3280, 4346,
4366, 4880) (was draft-ietf-tls-openpgp-keys-11.txt)

http://www.garlic.com/~lynn/rfcidx16.htm#4880

4880 PS
OpenPGP Message Format, Callas J., Donnerhacke L., Finney H., Shaw D.,
Thayer R., 2007/11/02 (90pp) (.txt=203706) (Obsoletes 1991, 2440) (Refs
1423, 1950, 1951, 1991, 2045, 2440, 2822, 3156, 3447, 3629, 4086)
(Ref'ed By 5081) (was draft-ietf-openpgp-rfc2440bis-22.txt)

and as always ... clicking on the ".txt=nnn" field, retrieves the actual
RFC

could we be getting closer to certificateless SSL/TLS protocol?
misc. posts mentioning publickey certificateless operation
http://www.garlic.com/~lynn/subpubkey.html#certless

for additional drift, posts mentioning possibility of general use of
"on-file" public keys (from the domain name system), including for a
SSL/TLS protocol like operation.
http://www.garlic.com/~lynn/subpubkey.html#catch22

and for even more drift ... a totally different DNS topic drift
(from a thread in comp.arch)
http://www.garlic.com/~lynn/2007r.html#48 Half a Century of Crappy Computing

Posted by Ari on October 28, 2007, 4:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 28 Oct 2007 04:58:16 +0000 (UTC), Anonymous Sender wrote:

> You're right of course. There's no shortage of inattentive or ignorant
> users in the world. But this is a PEBKAC problem, not a software or
> security methods issue.

So basically you're telling us you don't have an argument anymore after
you found out Tor's developers have no problem with the commercial
nature of Xerobank so you're reduced to puerile whining. You conceded
your idiotic "stolen software" argument, abandoned the "bandwidth" issue
in record time, and rather than be adult enough to just admit your
mistakes you'd rather impress us with taking cheap shots at anonymous
posters in general from behind a remailer.

How pathetic. Thanks for clearing all that up for us this week too,
kiddo. :)
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Posted by Anonymous Sender on October 28, 2007, 4:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 28 Oct 2007 04:58:16 +0000 (UTC), Anonymous Sender wrote:

> bealoid wrote:
>
>>
>> [snip]
>>
>>> I routinely say yes to all certificate requests because I
>>> never understood them.
>>
>> Unfortunatly you're not the only person to do so. :-( Other people will
>> also click [YES] when some malwareis asking to be installed.
>
> You're right of course. There's no shortage of inattentive or ignorant
> users in the world. But this is a PEBKAC problem, not a software or
> security methods issue.
>
>>
>>> Now I will take the time to read them.
>>
>> Good Luck.
>
> It's really pretty simple. If you get an error that you didn't expect
> or one that can't be easily explained by things like the Linksys
> router issue or periodic rotation of expired SSL certificates, then you
> don't accept them. Period. Unless you know for sure that the reason for
> the error has a verifiable and natural cause, you click 'NO', 'CANCEL',
> or whatever negative response your software offers you. If you're in
> doubt as to what to click, close the software all together.
>
> If you've made a mistake and the connection was actually kosher then no
> harm done. You have ample time to sort it out and make a final
> determination about a given certificate. OTOH, if you err on the side
> opposite of caution you may have precious few minutes to sort it out
> before some script kiddie cleans out your bank account by wire
> transferring your entire balance to Taiwan. :(

> I have never insulted you to the best of my belief and knowledge.

ROTFLMAO!

That's the biggest load of shit you've EVER posted.

> It appears it is insulting to you when someone disagrees with you.

Talk about the pot calling the kettle black.

Insulting people who disagree with you is ALL you do.

> The remainder of the trolling rubbish removed.

Can't face the truth eh?

Just blame everyone else for doing what you do and run away little boy.
That makes it all go away.

NOT!

--
----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQB5AwUBRx4c0gEP2aowjishfaHfJAQGLWwMgjZk5mxNcthP1YeCHaXldbqOUOUbvgkYp
/EdaOVSasH6Okkz2UMQapklsfjqipoejgSPj/EgGiAzZkitdCE64mJ/vP3aYISL8/DNask3JPfF
U1zJXY87GynBB1jq+APaNXyrE1DpU75zz9Twpw==
=A8Gm
-----END PGP SIGNATURE-----

Posted by Sebastian G. on October 28, 2007, 5:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Anonymous Sender wrote:


>> It's really pretty simple. If you get an error that you didn't expect
>> or one that can't be easily explained by things like the Linksys
>> router issue or periodic rotation of expired SSL certificates, then you
>> don't accept them. Period. Unless you know for sure that the reason for
>> the error has a verifiable and natural cause, you click 'NO', 'CANCEL',
>> or whatever negative response your software offers you. If you're in
>> doubt as to what to click, close the software all together.
>>
>> If you've made a mistake and the connection was actually kosher then no
>> harm done. You have ample time to sort it out and make a final
>> determination about a given certificate. OTOH, if you err on the side
>> opposite of caution you may have precious few minutes to sort it out
>> before some script kiddie cleans out your bank account by wire
>> transferring your entire balance to Taiwan. :(
>
>> I have never insulted you to the best of my belief and knowledge.
>
> ROTFLMAO!
>
> That's the biggest load of shit you've EVER posted.


WTF? This is actually the most sensible advice one could give. If in doubt,
an SSL error should be considered as a consequence of an attack, and the
protocols specifies to cancel the connection altogether.

Posted by Ari on October 28, 2007, 7:47 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 28 Oct 2007 15:49:20 -0500, Anonymous Sender wrote:

>>>> Now I will take the time to read them.
>>>
>>> Good Luck.
>>
>> It's really pretty simple. If you get an error that you didn't expect
>> or one that can't be easily explained by things like the Linksys
>> router issue or periodic rotation of expired SSL certificates, then you
>> don't accept them. Period. Unless you know for sure that the reason for
>> the error has a verifiable and natural cause, you click 'NO', 'CANCEL',
>> or whatever negative response your software offers you. If you're in
>> doubt as to what to click, close the software all together.
>>
>> If you've made a mistake and the connection was actually kosher then no
>> harm done. You have ample time to sort it out and make a final
>> determination about a given certificate. OTOH, if you err on the side
>> opposite of caution you may have precious few minutes to sort it out
>> before some script kiddie cleans out your bank account by wire
>> transferring your entire balance to Taiwan. :(
>
>> I have never insulted you to the best of my belief and knowledge.
>
> ROTFLMAO!
>
> That's the biggest load of shit you've EVER posted.

Except that I didn't post it, A$$hole. lol
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Similar ThreadsPosted
Howto setup a certificate authority and create a signed certificate using openssl on Debian sarge March 16, 2005, 10:39 am
What are the real dangers of shared hosting ? May 8, 2004, 7:25 am
Have real exploits of arithmetic overflows happened? February 13, 2007, 12:45 pm
Re: It's a fake terrorist scare, folks August 24, 2006, 6:05 pm
Re: It's a fake terrorist scare, folks August 15, 2006, 2:24 am
Re: It's a fake terrorist scare, folks August 16, 2006, 2:14 am
Re: It's a fake terrorist scare, folks August 18, 2006, 2:22 am
Re: It's a fake terrorist scare, folks August 18, 2006, 2:25 am
Re: It's a fake terrorist scare, folks August 20, 2006, 7:25 am
Re: It's a fake terrorist scare, folks August 24, 2006, 4:20 pm

The site map in XML format XML site map

Contact Us | Privacy Policy