Slashdot Mirror
Juniper OS Flaw Allowed Forged Certificates (arstechnica.com)
Slashdot reader disccomp shares an article from Ars Technica:
In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...
"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."
"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."
... was to make the damn thing secure. That's why it exists. And they still failed. It's like selling a bread that doesn't taste or has the same ingredients like a real bread. But you still call it bread and sell it. These companies should be boycotted. It's our security that we're talking about! There should be repercussions for these kind of failures!