[137801] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

RE: unintended?

daemon@ATHENA.MIT.EDU (ian.farquhar@rsa.com)
Mon Nov 17 12:07:10 2008

From: ian.farquhar@rsa.com
Date: Sun, 16 Nov 2008 18:25:18 -0500
In-Reply-To: <20081114212924.GE9882@kokopelli.hydra>
To: <perrin@apotheon.com>, <cryptography@metzdowd.com>

[Moderator's note: Top posting is considered untasteful. --Perry]

It doesn't need to be malicious.  It depends on the situation.

For example, lots of corporations do SSL session inspection using
products like Bluecoat.  The Bluecoat does a MiTM attack to expose the
plaintext for analysis, and expects that corporate users trust the
certificate it provides (and have pushed it out to all corporate
browsers).  If you've just loaded Firefox, it won't have that "trusted"
cert loaded by default, and you'll see exactly the below.


-----Original Message-----
From: owner-cryptography@metzdowd.com
[mailto:owner-cryptography@metzdowd.com] On Behalf Of Chad Perrin
Sent: Saturday, November 15, 2008 8:29 AM
To: cryptography@metzdowd.com
Subject: Re: unintended?

On Fri, Nov 14, 2008 at 01:26:29PM +0000, bmanning@vacation.karoshi.com
> (snicker)  from the local firefox
> ....
> en-us.add-ons.mozilla.com:443 uses an invalid security certificate.
> The certificate is not trusted because the issuer certificate is not
> (Error code: sec_error_untrusted_issuer)

What does Perspectives have to say?

What installation of Firefox did you use?

I don't have that problem when I visit:

Do you perhaps have some kind of malicious redirection going on there?

Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
John Kenneth Galbraith: "If all else fails, immortality can always be
assured through spectacular error."

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post