Re: W3C Web Security IG - forged certificates

I'm one of the authors of the report and would be happy to answer any
questions about it.


On Mon, May 12, 2014 at 3:32 AM, GALINDO Virginie <
Virginie.GALINDO@gemalto.com> wrote:

>  Hi all,
>
>
>
> In case you missed that research report:
>
> ‘The analysis <https://www.linshunghuang.com/papers/mitm.pdf> is
> important because it's the first to estimate the amount of real-world
> tampering inflicted on the HTTPS system that millions of sites use to prove
> their identity and encrypt data traveling to and from end users. Of 3.45
> million real-world connections made to Facebook servers using the transport
> layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2
> percent of them, were established using forged certificates. The vast
> majority of unauthorized credentials were presented to computers running
> antivirus programs from companies including Bitdefender, Eset, and others.
> Commercial firewall and network security appliances were the second most
> common source of forged certificates.’
>
>
>
> See :
> arstechnica.com/security/2014/05/significant-portion-of-https-web-connections-made-by-forged-certificates/
>
>
>
> Regards,
>
> Virginie
>
>
>
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
>