Secure Transactions
Bruno Wolff III
bruno at wolff.to
Sun Aug 31 22:18:34 UTC 2014
On Sun, Aug 31, 2014 at 15:02:03 -0700,
Tod Merley <todbot88 at gmail.com> wrote:
>Heinz thanks for reminding me about looking at certificates by clicking the
>padlock. I also note that they have the ability to export and so I suppose
>a comparison could be made through that as well.
>
>General question - can one spoof a certificate? I suppose "man in the
>middle" is simply nasty.
You might be tricked into going to a site that has a valid certificate for
that site, but isn't really the site you expected to be at.
The certificate might be signed by a CA in your browser that isn't a
normal CA. This is common for work PCs where ssl traffic is proxied.
The certificate might be signed by a normal CA, but might have be issued
in error or at the request of law enforcement for someone other than
the parties responsible for the site you are visiting.
The certificate might have used a key with too little entropy and it
was possible to guess the private key allowing someone else to make
use of the normal public part.
More information about the users
mailing list