Information Security, securing the digital world. Blogs, talks, videos, discussions, and tips on digital security.
StartEncrypt considered harmful today
StartEncrypt considered harmful today
Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom's new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control. While there are some restrictions on what domains the attack can be applied to, domains where the attack will work include google.com, facebook.com, live.com, dropbox.com and others.
computest.nl




This is why Letsencrypt is better.
Not really. Problems in one software doesn't make the other one better. There's no correlation there.
Great.. That didn't take long. At least it was spotted, now I'm curious how many of those bogus certificate got issued.
They should be able to work that issue out by just revoking the intermediate CA certificate(s). That invalidates all the certificates, including the bogus ones.