[SSL Observatory] Does the Obs. provide cert validation through HTTP uploads?
Ondrej Mikle
ondrej.mikle at gmail.com
Sun Mar 27 12:47:58 PDT 2011
On 03/27/11 16:53, Erik Hjelmvik wrote:
> More info on how to extract X.509 certs from SSL sessions in a pcap
> file, and how to look for signs of MITM attacks:
> http://www.netresec.com/?page=Blog&month=2011-03&post=Network-Forensic-Analysis-of-SSL-MITM-Attacks
One needs to be a bit cautious with Perspectives' responses, two examples that
may seem like MITM attacks I've found today:
https://www.networknotary.org/notary_web/notary_query?host=crypto.telecomix.org&port=443
https://www.networknotary.org/notary_web/notary_query?host=pad.telecomix.org&port=443
Notary cmu.ron.lcs.mit.edu shows different fingerprint than the rest of the
notaries for the last cca 2 days. In the SSL observatory DB I found only a very
old pad.telecomix.org cert.
The explanation is simple, but I had to look in the sources (didn't see it on
the web or any docs):
Notary cmu.ron.lcs.mit.edu does use the Server Name Indication, while the others
do not (SNI is disabled by default in ssl_scan_openssl.py) - running 'openssl
s_client' once with '-servername' and then without gives the exact two certs
that the notaries disagree upon.
Regards,
OM
More information about the Observatory
mailing list