Perfect MITM Attacks With No-Check SSL Certs

StartCom writes "In a previous article I reported about Man-In-The-Middle attacks and spotlighted an example showing that they really happen. MITM attacks just got easier. In the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and a fully trusted certificate? No problem, just head over to one of Comodo's resellers. Screenshots and disclosure provided at the link."

Really now.

[cp.tar]

The example cited is "RESOLVED INVALID". The link to the "perfect attack" seems to be slashdotted. And at the time I started writing this comment, there have been no comments whatsoever.

Does this mean that Slashdotters have all swarmed the link trying to find out how to execute the perfect attack? Are we seeing a new trend here, with people actually reading TFAs?

Or is it that too many people have Greasemonkey scripts filtering out kdawson's posts?

Re:Really now.

[ghmh]

Apparently the perfect attack is actually 'Slashdot in the Middle'

Looks like DDOS beats all

[00_NOP]

It had "0" comments when I started and I still could not RTFA

Re:Don't do this at home

I have a much bigger concern. Who certifies those who certify the certifiers?

Re:Don't do this at home

[gomiam]

...your local psychiatrist?

Re:Don't do this at home

[ScreamingCactus]

Simple. We give the MITM attackers the power to certify the certifiers. That way we have a system of checks and balances.

Re:Don't do this at home

[kabloom]

Nobody. They don't have an HTTPS site.

Re:OK, which CA must leave the trusted list?

[dubbreak]

but yes, I think making and enforcing standards for CAs is a good role for the government.

Which "the government" are you talking about here? ...

I nominate Canada. They seem to be a respected world power. Everyone will be willing to listen to them.