Forums.FreeBSD.org - SSL Issue?
Christopher Schulte
christopher at schulte.org
Wed May 13 21:45:08 UTC 2015
> On May 13, 2015, at 9:29 AM, Paul Franklin <paul.franklin at grg.com> wrote:
>
> Hi James,
>
> Yes I agree, it looks like the wrong intermediate cert has been used...
>
> Certificate:
> Subject: CN=forums.freebsd.org
> Issuer: CN=Gandi Standard SSL CA 2
>
> Intermediate:
> Subject: CN=Gandi Standard SSL CA
>
> The certificate issuer CN doens't match the intermediate subject CN
> (note the missing 2)
I’ll chime here with a related resource I use from time to time, specifically with regard to website TLS/SSL certs.
First, see:
http://perspectives1.schulte.org:8080/?host=forums.freebsd.org&port=443&service_type=2&
Which is designed to be used with the Perspectives web browser plugin, allowing supported browsers to query a set of trusted notary servers in real time, comparing the certs (well, actually just the fingerprint of the certs) stored in the notary servers with with the browser sees. That can be used to potentially detect MITM attacks, even those using trusted-CA-issued certs with would pass the browser’s trust test.
Separate from using it in-line with my web browser to help secure my day-to-day browsing, I from time-to-time also manually query one of my notaries, looking for cert history for a given target site. In this case, it quickly allowed me to see that a new cert appears to have been installed recently on the forums site, replacing the old one which had been used since October of last year.
It’s a slick tool. I use it along with other tools that query things like DANE/DNSSEC properties (BTW: thanks, FreeBSD, for publishing signed TLSA records!).
You can see more about my Perspectives setup at https://noc.schulte.org/perspectives.html, which also has a link to the project’s homepage. You can pull down the server code and setup your own set of trusted servers. I spread mine out across different networks, improving the chance of detecting malicious activity.
> Regards,
> Paul.
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4110 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150513/147bb58c/attachment.bin>
More information about the freebsd-security
mailing list