Imzy
  • Discover communities
  • Log In
  • Sign up
  • Home
  • Discover communities
  • Log In
  • Sign up
  • About
  • Learn More
  • Contact
  • Community Policy
  • FAQ
  • Sitemap
  • Terms
  • Privacy Policy
  • Available on the App Store
  • Available on Google Play
Copyright © 2017 Saurus, Inc. All rights reserved.
InfoSec

InfoSec

Information Security, securing the digital world. Blogs, talks, videos, discussions, and tips on digital security.

2591 members
Posted byoherralain/infosec-Jul 03, 2016 at 12:44 PMΔ

StartEncrypt considered harmful today

  • Blog

StartEncrypt considered harmful today

Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom's new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control. While there are some restrictions on what domains the attack can be applied to, domains where the attack will work include google.com, facebook.com, live.com, dropbox.com and others.

computest.nl
Comments4
  • LibertyBetaJul 03, 2016 at 5:29 PMΔ

    This is why Letsencrypt is better.

    • oherralaJul 04, 2016 at 8:56 AMΔ

      Not really. Problems in one software doesn't make the other one better. There's no correlation there.

  • elwillowJul 04, 2016 at 8:05 AMΔ

    Great.. That didn't take long. At least it was spotted, now I'm curious how many of those bogus certificate got issued.

    • oherralaJul 04, 2016 at 8:58 AM

      They should be able to work that issue out by just revoking the intermediate CA certificate(s). That invalidates all the certificates, including the bogus ones.

InfoSec

InfoSec

Information Security, securing the digital world. Blogs, talks, videos, discussions, and tips on digital security.

2591 members
  • About
  • Sitemap
  • Terms and Conditions
  • Privacy Policy
  • Copyright © 2017 Saurus, Inc. All rights reserved.