[SSL Observatory] https://controller.mobile.lan

ArkanoiD ark at eltex.net
Mon Feb 6 14:10:16 PST 2012


They could use/generate on the fly self-signed for that as well.

On Mon, Feb 06, 2012 at 01:08:33PM -0800, Chris Palmer wrote:
> On 2012-02-06 23:52, ArkanoiD wrote:
> 
> > Wait.. It is signed for just one FQDN, what is the point of using it for
> > MITM?
> 
> The attackers/network operators know/hope that users will just click through
> any warning. It doesn't have to be a valid cert for the name to function as
> a successful MITM attack tool. And some clients will blindly accept any
> certificate without warning the user at all.
> 
> This is why we need hard-fail for wrong certificates, such as the preloaded
> or dynamic pins provide, for all protocols (not just HTTPS).
> 
> 
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com 
> 
> 




More information about the Observatory mailing list