[SSL Observatory] https://controller.mobile.lan
ArkanoiD
ark at eltex.net
Mon Feb 6 14:10:16 PST 2012
They could use/generate on the fly self-signed for that as well.
On Mon, Feb 06, 2012 at 01:08:33PM -0800, Chris Palmer wrote:
> On 2012-02-06 23:52, ArkanoiD wrote:
>
> > Wait.. It is signed for just one FQDN, what is the point of using it for
> > MITM?
>
> The attackers/network operators know/hope that users will just click through
> any warning. It doesn't have to be a valid cert for the name to function as
> a successful MITM attack tool. And some clients will blindly accept any
> certificate without warning the user at all.
>
> This is why we need hard-fail for wrong certificates, such as the preloaded
> or dynamic pins provide, for all protocols (not just HTTPS).
>
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
More information about the Observatory
mailing list