1996-08-11 - Re: An SSL implementation weakness?

Header Data

From: Simon Spero <ses@tipper.oit.unc.edu>
To: The Deviant <deviant@pooh-corner.com>
Message Hash: bfcd857a05e0c9edfb06897389f047edbc0656a0ae5cd5124c250247916d52bb
Message ID: <Pine.SUN.3.91.960810193128.13080B-100000@tipper.oit.unc.edu>
Reply To: <Pine.LNX.3.94.960809045202.653D-100000@switch.sp.org>
UTC Datetime: 1996-08-11 06:21:05 UTC
Raw Date: Sun, 11 Aug 1996 14:21:05 +0800

Raw message

From: Simon Spero <ses@tipper.oit.unc.edu>
Date: Sun, 11 Aug 1996 14:21:05 +0800
To: The Deviant <deviant@pooh-corner.com>
Subject: Re: An SSL implementation weakness?
In-Reply-To: <Pine.LNX.3.94.960809045202.653D-100000@switch.sp.org>
Message-ID: <Pine.SUN.3.91.960810193128.13080B-100000@tipper.oit.unc.edu>
MIME-Version: 1.0
Content-Type: text/plain


This was the second SSL problem documented; it was fixed in 
netscape 2.0. The fix is to include the hostnames used for the server in 
the certificate as multi-values for the CommonName (CN). 

The fix is relatively simple; The client must then check the certificate
to make sure the hostname matches, and the CA must not check ownership of
domain names before issuing certs. 

Simon
(the first, and silliest was the original SSL's habit of using RC4 on 
(essentially) known plain-text with no checksum. Doh!) 

 ---
Cause maybe  (maybe)		      | In my mind I'm going to Carolina
you're gonna be the one that saves me | - back in Chapel Hill May 16th.
And after all			      | Email address remains unchanged
You're my firewall -    	      | ........First in Usenet.........





Thread