[SSL Observatory] https://controller.mobile.lan

Chris Palmer chris at noncombatant.org
Mon Feb 6 13:08:33 PST 2012


On 2012-02-06 23:52, ArkanoiD wrote:

> Wait.. It is signed for just one FQDN, what is the point of using it for
> MITM?

The attackers/network operators know/hope that users will just click through
any warning. It doesn't have to be a valid cert for the name to function as
a successful MITM attack tool. And some clients will blindly accept any
certificate without warning the user at all.

This is why we need hard-fail for wrong certificates, such as the preloaded
or dynamic pins provide, for all protocols (not just HTTPS).




More information about the Observatory mailing list