[21451] in bugtraq
Re: Many WAP gateways do not properly check SSL certificates
daemon@ATHENA.MIT.EDU (Jeremy Sanders)
Tue Jul 10 13:04:29 2001
Message-Id: <sb4ac937.090@mail.newsouthfederal.com>
Date: Tue, 10 Jul 2001 09:21:23 -0500
From: "Jeremy Sanders" <jsanders@newsouthfederal.com>
To: <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
>Since SSL certificates are tamper-evident as the cryptographic signature
>is checked against the "root" certificates of the large CAs (Thawte,
>Verisign, Global Trust etc.) this check gives assurance that the
>requesting party is connected to the right host - i.e. you are safe from a
>man-in-the-middle attack.
Sprint PCS's WAP gateway does not give a detailed error message, but does not allow the connection if the root certificate is not a trusted root CA. We have an Organizational CA that we generate certificates for internal web sites. The wireless versions of these sites will not work because Sprint's WAP gw does not trust our root... We would also rather not pay Verisign every time we decide to bring up a new intranet/extranet site...
Jeremy Sanders, CCNP CNE
Advanced Systems Engineer
New South Federal Savings Bank
