Home > slashdot > Thousands of SSL Certs Issued To Unqualified Names

Thousands of SSL Certs Issued To Unqualified Names

April 6th, 2011 04:38 admin Leave a comment Go to comments


Trailrunner7 writes “The recent attack on Comodo and several of its associated registration authorities has spurred quite a bit of re-examination of the way that the Web’s certificate authority infrastructure works–or doesn’t. One interesting result of this work is that the folks at the Electronic Frontier Foundation have discovered that there are more than 37,000 legitimate certificates issued by CAs for unqualified names such as “localhost” or “Exchange,” a practice that could simplify some forms of man-in-the-middle attacks. “Although signing ‘localhost’ is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like ‘mail’ or ‘webmail’? Such an attacker would be able to perfectly forge the identity of your organization’s webmail server in a ‘man-in-the-middle’ attack!”"

Source: Thousands of SSL Certs Issued To Unqualified Names

Related Articles:

  1. Phony Web Certs Issued For Google, Yahoo, Skype
  2. Rogue SSL Certs Issued For CIA, MI6, Mossad
  3. Hackers Steal Opera-Signed Certificate Through Infrastructure Attack
  4. Earthquake Warning Issued For Central Oklahoma
  5. Adobe Revoking Code Signing Certificate Used To Sign Malware
blog comments powered by Disqus