Risk
8/3/2009
10:06 AM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Secure Certificate Vulnerabilities Revealed

The SSL Certificate that tells visitors a site is certified as trustworthy may be easier to fake than previously thought. And that's one more reminder that the whole system of trust authorization is in need of work.

The SSL Certificate that tells visitors a site is certified as trustworthy may be easier to fake than previously thought. And that's one more reminder that the whole system of trust authorization is in need of work.In a presentation revealing the ease with which certificates of trust can be acquired by false means, researchers from Intrepidus Group raised questions about the security practices of some of the leading Certification Authorities (CA).

The dilemma, according to Intrepidus consultant Michael Zusman, is the degree of Web apps and automation CAs deploy to hasten the validation of certificates. Zusman demonstrated how he'd used phony credentials top obtain certificates from CAs StartCom, THWATE, and LoginLive.com.

Additionally he warned that CAs are not well-defended against cross-scripting attacks or SQL injections.

Zusman made his case at the DefCon 17 hacker conference, adding to the rising tide of SSL concerns and authentication worries.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.