comcast bad cert

[gboyce at badbelly.com (gboyce at badbelly.com)]

On 5 Oct 2003, eric wrote:

> hello, would somebody please explain (in general) to me what the
> following really means and how a cracker could use it to take advantage
> of my communications.  thanks for any pointers.
> 
> "bad certificate from pop3.comcast.net
> signature bad
> self-signed certificate in chain"

SSL Certificates perform two separate functions, authentication and 
encryption.

The encryption portion is still in effect.  Any comminucation between your 
e-mail client and the server you are talking to are encrypted, and not 
subject to eavesdropping.

The authentication portion is broken here.  An SSL certificate has a chain 
of authority.  A trusted source (Verisign or others) has provided a signed 
certificate to the company after confirming that they say who they say 
they are.

A self-signed certificate is a certificate that is signed by the company 
itself.  If you have the correct public certificate, then your 
communication is safe.  It's very hard to be sure that the certificate is 
the correct one, without just trusting that you downloaded the correct 
one.

The way that this can be taken advantage of is by someone doing a man in 
the middle attack.  For example, if your DNS points to the wrong server 
for smtp.comcast.net, then the server you hit instead could give you their 
cert, and create their own communication with the actual server.  You'd 
get the data you want, but the server that you're hitting gets to listen 
in on the whole conversation.

I said before that the communication between your client and the server 
you're talking to are encrypted.  This is true, but you have no way of 
knowing if the server you're talking to is the server you wanted to talk 
to.

--
Greg Boyce