[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An SSL implementation weakness?



This was the second SSL problem documented; it was fixed in 
netscape 2.0. The fix is to include the hostnames used for the server in 
the certificate as multi-values for the CommonName (CN). 

The fix is relatively simple; The client must then check the certificate
to make sure the hostname matches, and the CA must not check ownership of
domain names before issuing certs. 

Simon
(the first, and silliest was the original SSL's habit of using RC4 on 
(essentially) known plain-text with no checksum. Doh!) 

 ---
Cause maybe  (maybe)		      | In my mind I'm going to Carolina
you're gonna be the one that saves me | - back in Chapel Hill May 16th.
And after all			      | Email address remains unchanged
You're my firewall -    	      | ........First in Usenet.........