[security] SL comprimise
John Bradley
ve7jtb at ve7jtb.com
Thu Mar 24 14:09:47 UTC 2011
http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.
In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)
So perhaps encouraging people to perform those checks would be a good idea.
We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.
John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/91d6826a/attachment.p7s>
More information about the security
mailing list