On Sun 22/Oct/2023 13:18:53 +0200 Hans-Martin Mosner via mailop wrote:
Am 22.10.23 um 12:23 schrieb Paul Menzel via mailop:
It was interesting and surprising to me, as the common perception is, that
SSL certificates protect against MiTM attacks as it should provide authenticity.
The weak point of SSL certificates is that clients are willing to accept new
certs for the same domain as long as their signature path is correct (ending at
one of the trusted root CAs). State-level agents may have ways of obtaining a
certificate for a third party from a trusted authority, as long as they
convince the authority that their interception request is lawful.
That would be a show stopper for Let's Encrypt and EFF, methinks.
The Summary and finale section starts with the paragraph:
The attacker managed to issue multiple SSL/TLS certificates via Let’s
Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
However, they don't hypothesize on how that was possible. Is that due to
anonymous ciphers being enabled? How? The whole point of a certification
authorities is that third parties /cannot/ manage to issue copies of whatever
certificate at will.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
