W3C home > Mailing lists > Public > public-web-security@w3.org > May 2014

Re: W3C Web Security IG - forged certificates

From: Collin Jackson <collin.jackson@sv.cmu.edu>
Date: Tue, 13 May 2014 14:50:30 -0700
Message-ID: <CANVv-VezB8Jvr9zaKB8+oL1NEuEPzxArkFLf7W7KwuJG7twmNg@mail.gmail.com>
To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
I'm one of the authors of the report and would be happy to answer any
questions about it.

On Mon, May 12, 2014 at 3:32 AM, GALINDO Virginie <
Virginie.GALINDO@gemalto.com> wrote:

>  Hi all,
> In case you missed that research report:
> ‘The analysis <https://www.linshunghuang.com/papers/mitm.pdf> is
> important because it's the first to estimate the amount of real-world
> tampering inflicted on the HTTPS system that millions of sites use to prove
> their identity and encrypt data traveling to and from end users. Of 3.45
> million real-world connections made to Facebook servers using the transport
> layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2
> percent of them, were established using forged certificates. The vast
> majority of unauthorized credentials were presented to computers running
> antivirus programs from companies including Bitdefender, Eset, and others.
> Commercial firewall and network security appliances were the second most
> common source of forged certificates.’
> See :
> arstechnica.com/security/2014/05/significant-portion-of-https-web-connections-made-by-forged-certificates/
> Regards,
> Virginie
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus
Received on Tuesday, 13 May 2014 21:51:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:32 UTC