[SSL Observatory] https://controller.mobile.lan
Chris Palmer
chris at noncombatant.org
Mon Feb 6 13:08:33 PST 2012
On 2012-02-06 23:52, ArkanoiD wrote:
> Wait.. It is signed for just one FQDN, what is the point of using it for
> MITM?
The attackers/network operators know/hope that users will just click through
any warning. It doesn't have to be a valid cert for the name to function as
a successful MITM attack tool. And some clients will blindly accept any
certificate without warning the user at all.
This is why we need hard-fail for wrong certificates, such as the preloaded
or dynamic pins provide, for all protocols (not just HTTPS).
More information about the Observatory
mailing list