[5399] in cryptography@c2.net mail archive
Re: going around the crypto
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Aug 14 13:04:36 1999
To: EKR <ekr@rtfm.com>
Cc: cryptography@c2.net
Date: Fri, 13 Aug 1999 13:04:26 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <kjvhajk43b.fsf@romeo.rtfm.com>, EKR writes:
> "Steven M. Bellovin" <smb@research.att.com> writes:
> > > Now, this does require that the CAs that your browser trusts follow
> > > the Common Name=domain name convention, but that's just a special
> > > case of trusting your CAs.
> >
> > The attacker could also present a certficate from a fake CA with an
> > appropriate name -- say, "Netscape Security Services", or something that
> > plays on the site name they're trying to impersonate -- "Amazon.Com Encrypt
> ion
> > Certification Center" if someone is trying to reach Amazon.com or some such
> .
> Right. In which case Netscape brings up a different dialog which
> says that the server certificate is signed by an unrecognized
> CA. Again, you can proceed, but it's not like it's automatic.
It's clearly not automatic, but I suspect it would work....
