[OT] Trusting X.509 certificate
Peter Lebbing
peter at digitalbrains.com
Tue Apr 16 11:50:36 CEST 2013
> You could look at the certificate your browser doesn't trust and follow up
> the information it contains. You could also search the internet (and other
> sources) for information about Intevation GmbH, and see if it matches what
> the certificate says.
Everything the certificate "says" is under attacker control when they redirect
the HTTPS session to their own system[1]. You need to find a trust path based
on cryptographic signatures, not on what the Subject and Issuer fields and
what not say in the certificate.
Peter.
[1] With the possible exception of the fingerprint (and perhaps some other
details)
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list