michael Dorrian wrote:
So if what you are saying is true then i could call myself the same name
as a trusted CA authority when making my root CA and the browser will
think i am a trusted CA. Is that correct?. It seems too simple to be
true.....
1. If you forge a root CA certificate...
2. ...and install it in a user's browser...
3. ...and control the DNS to divert the browser...
4. ...to a forged web site running on an IP you control...
...then the browser probably won't complain. Trivial for a
well-positioned admin or support technician, but not exactly simple.
This technique could be used to harvest passwords, so a site should
think very carefully about the ramifications of installing root CA
certificates in browsers to support self-signed certificates.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
