W3C home > Mailing lists > Public > public-web-security@w3.org > May 2014

W3C Web Security IG - forged certificates

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Mon, 12 May 2014 12:32:21 +0200
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <239D7A53E5B17B4BB20795A7977613A4022CD7C0473D@CROEXCFWP04.gemalto.com>
Hi all,

In case you missed that research report:
'The analysis<https://www.linshunghuang.com/papers/mitm.pdf> is important because it's the first to estimate the amount of real-world tampering inflicted on the HTTPS system that millions of sites use to prove their identity and encrypt data traveling to and from end users. Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. The vast majority of unauthorized credentials were presented to computers running antivirus programs from companies including Bitdefender, Eset, and others. Commercial firewall and network security appliances were the second most common source of forged certificates.'

See : arstechnica.com/security/2014/05/significant-portion-of-https-web-connections-made-by-forged-certificates/

Regards,
Virginie


________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Received on Monday, 12 May 2014 10:32:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:21 UTC