[34359] in bugtraq
Google using Expired Cert and SSLv2
daemon@ATHENA.MIT.EDU (Matthew S. Hamrick)
Wed Mar 31 19:37:39 2004
Message-ID: <1080765760.406b2d4021673@webmail.cryptonomicon.net>
Date: Wed, 31 Mar 2004 15:42:40 -0500
From: "Matthew S. Hamrick" <mhamrick@cryptonomicon.net>
To: webappsec@securityfocus.com
Cc: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=729
Don't know how apropos it is to bugtraq, but I suppose it's relevant to the web
application security community. It's fairly well known amongst people who use
SSL to secure portions of their web application that SSL version 2 is "bad."
It's so bad that a bunch of really smart people went out and created SSL version
3. So I was pretty surprised today when I noticed that https://www.google.com/
is using an expired certificate and SSLv2.
Guess the moral of the story is: "even the big guys can get it wrong."
/etc
Matt H.
--
One Ringtone to rule them all, one Carrier to find them,
One Phone to bring them all and to the Service Contract bind them.
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
