[ale] Plain text SSL certs and Konqueror
Michael D. Hirsch
mhirsch at nubridges.com
Wed Mar 10 16:59:44 EST 2004
According to this rather interesting article from netcraft
http://news.netcraft.com/archives/2004/03/08/ssls_credibility_as_phishing_defense_is_tested.html
Scammers can also configure their web server so that deceptive SSL
certificates won't trigger an alert in the user's browser. "One of the
SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science
Corporation noted in the SANS post on the issue. "Most SSL servers have
this disabled by default, but most browsers support it. When plain text
is used, no central certificate authority is consulted and the user
never sees a message asking if a certificate should be accepted
(because 'plain text' doesn't use certificates). Keeping that in mind,
the little lock icon may not even indicate an encrypted channel. The
little lock only indicates an SSL connection."
I went looking for these "plain text" SSL encodings in my browser of
choice konqueror. Konq offers a pretty good view of it's ssl setup,
listing every ssl encryption method, both SSLv2 and SSLv3. None of
them are listed as "plain text". Anyone know what they are?
There are a couple listed as "(0 of 0 bits)" which sounds kinda like a
non-encryption method. A few examples are FZA-FZA-CBC-SHA,
FZA-NULL-SHA, NULL-MD%, and NULL-SHA. Are these in fact plain text?
If so, the good news is that they come disabled by default.
Curiously yours,
Michael
More information about the Ale
mailing list