Mini Spy

Loading...

Latest Threads

Loading...
 
  1. Warning Welcome to MalwareTips.com, a free community where people like yourself come together to discuss and learn about PC security and computers.
    As a guest, you can browse and view the various discussions in the forums, but you can not create new threads or reply to an existing one unless you are a registered member. By joining our free community you will have access to post threads, start private conversations with other members, respond to polls, upload content and access many other special features.
    Registration is fast, simple and absolutely free, so please join us today!
  2. Emsisoft  Mobile Security GiveawayEXCLUSIVE MalwareTips.com: Emsisoft Mobile Security Giveaway

    Get a free license key for Emsisoft Mobile Security to protect your Android smartphone. We are giving away Emsisoft Mobile Security license keys for our awesome members!

    Get an Emsisoft Mobile Security license key!

  3. Zemana AntiLogger Unlimited GiveawayEXCLUSIVE: Zemana AntiLogger Giveaway

    Get a free license key for Zemana AntiLogger. We are giving away 300 Zemana AntiLogger license keys for our awesome members!

    Get a Zemana AntiLogger license key!

  4.  NoVirusThanks EXE GiveawayEXCLUSIVE MalwareTips.com : NoVirusThanks EXE Radar Pro Giveaway

    Get a free license key for NoVirusThanks EXE Radar Pro. We are giving away NoVirusThanks EXE Radar Pro license keys for our awesome members!

    Get a NoVirusThanks EXE Radar Pro license key!

  5. ZoneAlarm 2015 Extreme Security GiveawayEXCLUSIVE MalwareTips.com:ZoneAlarm 2015 Extreme Security Giveaway

    Get a free license key for ZoneAlarm 2015 Extreme Security. We are giving away ZoneAlarm 2015 Extreme Security license keys for our awesome members!

    Get a ZoneAlarm 2015 Extreme Security license key!

  6. Tip of the Day Many people think that 'formatting' a hard drive will wipe out all the data so it cannot be recovered
    Not so. To prevent the possibility of future recovery, use a third-party, low-level hard drive formatting tool, such as Killdisk (downloadable at no charge from www.killdisk.com) to overwrite data on the hard drive with a random sequence of 1's and 0's.

EFF uncovers further evidence of SSL CA bad behavior

Discussion in 'News Archive' started by Jack, Apr 7, 2011.

  1. Jack

    Jack Administrator Staff Member

    Joined:
    Jan 24, 2011
    Messages:
    6,769
    Likes Received:
    677
    Trophy Points:
    323
    In the wake of the Comodo SSL Certificate Authority (CA) having been compromised by an Iranian hacker the Electronic Frontier Foundation published more evidence of problems in the SSL signing industry.

    While many were critical of Comodo's hard coding passwords into public facing code and using their root certificate to sign certificates, now there is more evidence of industry-wide lax practices.

    Chris Palmer wrote a blog on Tuesday outlining work the EFF had done analyzing the quantity of certificates that were signed and trusted by all of our browsers that were technically invalid and could be used for fraud.

    The particular practice the EFF was looking for was the signing of certificates that did not contain fully-qualified domain names.

    To obtain verification of your identity for the CA to sign a certificate, the certificate must contain something that globally only you could be identified by.

    If I try to get a certificate for just plain www, I should be rejected. Yet if I try to purchase secure.sophos.com, you could verify that I am allowed to represent Sophos, and that this certificate would not be valid for any other organization.

    So what did the EFF find? They found that certificate authorities have signed over 37,000 certificates that are not specific to any organization, they contain only a hostname. The worst offender was GoDaddy.com.

    Each and every one of these could be used to impersonate some local server on your intranet by an intruder...

    Wait! It gets worse.. 28 Extended Validation certificates were issued in this manner.. 10 of which are still valid. What is Extended Validation? Wikipedia states three specific conditions must be met:

    1. Establish the legal identity as well as the operational and physical presence of website owner.

    2. Establish that the applicant is the domain name owner or has exclusive control over the domain name.

    3. Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

    More details - link

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: uncovers further
Forum Title Date
Norton Symantec Uncovers Android Apps Security Threat Jun 30, 2011
Malware Removal Assistance Further advice on how to remove webalta.ru needed Aug 15, 2013
Troubleshooting Software - Questions and Help! Laptop stuck at LG Logo and won't go further Jul 13, 2013
News Archive Windows 8 login screen revealed [Update] further confirmation Apr 2, 2011

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.