Difference between revisions of "Episode121"

From Security Weekly Wiki
Jump to navigationJump to search
Line 3: Line 3:
  
 
http://www.whitewolfsecurity.com/publications/biometric_locks.php
 
http://www.whitewolfsecurity.com/publications/biometric_locks.php
 +
 +
= Listener Feedback: Listener Scott Is Evil =
 +
 +
"Sorry if you spoke about this, but I'm still catching up on your
 +
shows.  I'm not an expert on how the browser and SSL works, but I
 +
worry about this being true.  Also, if this works, I'm a little
 +
hesitant to mention this because it could be used.
 +
I was wondering about using the DNS vulnerability to hijack domains.
 +
I hear a lot of people saying people can't hijack SSL secured domain
 +
because the certificate wouldn't validate.  Well I can see that you
 +
can't spoof the root certificate authorities because the certificates
 +
are preloaded in the browser.  However, can someone get a certificate
 +
able to issue other certificates from a trusted root certificate
 +
authority and then sign the phony paypal.com web page with it.  This
 +
way when my browser goes to the phony paypal.com website, it will tell
 +
my browser it was signed by "evilCA.com", then my browser should check
 +
to see if "evilCA.com" is valid, and it would pass because it was
 +
signed by a root CA.  So by browser should be happy and not even alert
 +
me anything is wrong and give me an SSL pad lock, maybe even an
 +
extended certificate, if you can issue those from a normal cert
 +
(because I doubt bad people would front a business for an EV cert).
 +
Is this how the browser chain of trust works?  What did I miss to
 +
prevent people from doing this?
 +
Thanks and I promise to catch up on all the past shows.
 +
Scott"

Revision as of 16:43, 31 August 2008

"I met you yesterday at SANS and was wondering if you could help me promote my mentor session of SEC508 starting on September 23rd. If you could forward this invitation onto your network of contacts, that would be awesome." - Evan


http://www.whitewolfsecurity.com/publications/biometric_locks.php

Listener Feedback: Listener Scott Is Evil

"Sorry if you spoke about this, but I'm still catching up on your shows. I'm not an expert on how the browser and SSL works, but I worry about this being true. Also, if this works, I'm a little hesitant to mention this because it could be used. I was wondering about using the DNS vulnerability to hijack domains. I hear a lot of people saying people can't hijack SSL secured domain because the certificate wouldn't validate. Well I can see that you can't spoof the root certificate authorities because the certificates are preloaded in the browser. However, can someone get a certificate able to issue other certificates from a trusted root certificate authority and then sign the phony paypal.com web page with it. This way when my browser goes to the phony paypal.com website, it will tell my browser it was signed by "evilCA.com", then my browser should check to see if "evilCA.com" is valid, and it would pass because it was signed by a root CA. So by browser should be happy and not even alert me anything is wrong and give me an SSL pad lock, maybe even an extended certificate, if you can issue those from a normal cert (because I doubt bad people would front a business for an EV cert). Is this how the browser chain of trust works? What did I miss to prevent people from doing this? Thanks and I promise to catch up on all the past shows. Scott"