Re: CVE-2007-659[01]

To: Florian Weimer <fweimer@bfk.de>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2007-659[01]
From: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 7 Jan 2008 22:01:31 +0100
Message-id: <[🔎] 200801072201.31900.sf@sfritsch.de>
In-reply-to: <[🔎] 82myrmgfb3.fsf@mid.bfk.de>
References: <E1JAWwj-0006ze-VL@alioth.debian.org> <[🔎] 200801032244.03548.sf@sfritsch.de> <[🔎] 82myrmgfb3.fsf@mid.bfk.de>

On Friday 04 January 2008, Florian Weimer wrote:
> * Stefan Fritsch:
> > I don't agree with this. An attacker can trick a user to accept a
> > certificate for '*' which then allows to do MITM attacks for any
> > websites.
>
> You still need to subvert IP routing.

Or do DNS spoofing. Or the user uses a TOR exit node or a public WLAN. 
Or he uses his own laptop in a company network...

> If you do that, most users will click away the warnings anyway.

But this affects also those users who don't click away warnings.

Reply to:

References:
- CVE-2007-659[01] (was: r7801 - in data: . CVE)
  - From: Stefan Fritsch <sf@sfritsch.de>
- Re: CVE-2007-659[01]
  - From: Florian Weimer <fweimer@bfk.de>

Prev by Date: Re: CVE-2007-659[01]
Next by Date: CVE-2007-4619: Fix backported to Etch?
Previous by thread: Re: CVE-2007-659[01]
Next by thread: CVE-2007-4619: Fix backported to Etch?
Index(es):
- Date
- Thread