[17276] in bugtraq
Re: Use of Akamai hosts to circumvent SSL server authentica
daemon@ATHENA.MIT.EDU (John A. Lauro)
Fri Oct 20 02:35:00 2000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Message-ID: <D06CDCA4EA3@flint.umich.edu>
Date: Thu, 19 Oct 2000 14:56:47 EDT
Reply-To: "John A. Lauro" <jlauro@UMICH.EDU>
From: "John A. Lauro" <jlauro@UMICH.EDU>
X-To: fubob@MIT.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
> This problem is not unique to Akamai or Verisign. There are
> probably many other sites which unintentionally proxy SSL in this
> manner. Akamai just happens to be a very large instance. Any SSL
> Web server that transparently proxies arbitrary SSL connections by
> re-wrapping requests is vulnerable.
Any such certificate would put Akamai (or whoever is proxying it) as
the content owner if you view the certificate. That is no less
insecure or less easy to do then putting a page up on a completely
unrelated secure site... How many people actually veiw the
certificate to see who it was issued to, and verify it is who they
think it should be??? Generally all that little lock gets you is a
little bit of encryption over public nets...
Not that most users would know this if given a link in a chat room,
but... Akamai rarely serves html pages, especially if they contain
dynamic data.... (Partly because they cann't help with dynamic
data, partly because companies want their own domain name in all the
links). Akamai mostly just stores images... So the start of the
link with akamai in the front would be as much of a clue as you would
get if someone created their own paper company and obtained a
certificate for it, and I am sure they could make the URL and
hostname a lot more convincing....
---------------------------------------------------------------------------
John Lauro email: jlauro@flint.umich.edu
University of Michigan - Flint jlauro@umich.edu
Information Technology Services
303 E. Kearsley St. phone: (810) 762-3123
Flint, MI 48502 fax: (810) 766-6805
