Re: HTTPS proxy tool that resigns SSL certs

From: Rogan Dawes (discard@dawes.za.net)
Date: Fri Jun 09 2006 - 06:09:32 EDT

• Next message: James Kelly: "Re: Some new SSH exploit script?"
• Previous message: AdamT: "Re: Lotus Notes Server"
• In reply to: Ritesh Rekhi: "RE: HTTPS proxy tool that resigns SSL certs"
• Maybe reply: one2@onetwo.com: "Re: Re: HTTPS proxy tool that resigns SSL certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ritesh Rekhi wrote:
> Hi All,
> I was going through this discussion.I have 2 questions on the
> discussion below:
>
> 1 Is it possible to get the same cert (cert with same cn) from two different
> CA's which are trusted by the browser i.e let's say my site is www.foo.com
> and I get my Cert signed by Verisign but attacker generates the CSR using
> same name and gets it signed by thawte.
>
> 2. If what I mentioned in the question 1 is true then is it possible to do
> MITM attack without attracting clien't attention.
>
> Regd's
> Ritesh
>

In answer to your first question, see my option 1 that I wrote
previously. It is unlikely that they will issue you a certificate if you
cannot prove that you own the domain in question. However, it may be
possible to hijack the domain for long enough to pass the various
validation checks, etc, and get a cert issued.

If this happens, yes, it is game over for that domain. The users will
not get any warning that they are visiting a different site.

>
> 1. Compromise a recognised CA's verification checks to convince them to
> issue you a certificate for the target site. This is unlikely. However,
> VeriSign has issued certs in Microsoft's name in the past, so not
> completely impossible. This also limits you to the particular sites that
> you manage to get certs for.
>

Regards,

Rogan

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: James Kelly: "Re: Some new SSH exploit script?"
• Previous message: AdamT: "Re: Lotus Notes Server"
• In reply to: Ritesh Rekhi: "RE: HTTPS proxy tool that resigns SSL certs"
• Maybe reply: one2@onetwo.com: "Re: Re: HTTPS proxy tool that resigns SSL certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:04 EDT