XS4ALL user receives certificate Xs4all.nl hands




A subscriber of XS4ALL has managed to create an SSL certificate for Xs4all.nl to register in their own words by ‘administrator@xs4all.nl. That alias should actually be on a black list, but that has not happened.

XS4ALL logo Using the email address administrator@xs4all.nl that he as an alias for his private address was producing, XS4ALL user knew Remy van Elst at certificate authority Comodo to generate an SSL certificate for Xs4all.nl. By e-mail the ssl-authority apparently thought that it was an employee of the provider.

With the certificate, an attacker can establish a successful man-in-the-middle attack referenced to read as the movement of users and to that website. For that he must first be able to intercept a user’s connection, for example with a fake wifi hotspot. Furthermore, the certificate is not valid for webmail.xs4all.nl or customer portal service.xs4all.nl but Van Elst would there using the email address or can create a certificate.

The certificate that created the XS4ALL subscriber is trusted by all standard Web browsers, as Comodo is a trusted certificate authority. When an attacker connecting a visitor Xs4all.nl could intercept, he can therefore traffic of customers read without really there in have to serve them through the false certificate.

However, a test of Tweakers shows that the certificate and private key actually belong together, proving that the XS4ALL subscriber has managed to generate a false certificate. XS4ALL by Van Elst informed, and confirm the news, but argues that Xs4all.nl includes a so-called Dane -entry in the DNS. That standard should avoid any certificate can be served on a domain name, but currently support browsers gained standard-entries yet.

Xs4all leaves in an opposite reaction Van Elst know that “administrator@xs4all.nl ‘standard should not be as to register alias, but that this” in this case has gone wrong’. The XS4ALL customer emphasizes that he has no evil intentions. “That’s why I’ve XS4ALL immediately informed and have the certificate revoked,” says Van Elst opposite Tweakers.

Previously was a fake SSL certificate issued for Live.fi, the Finnish domain from Windows Live. That probably happened because a researcher to get an administrator address owned knew. Incidentally, it is in both cases not extended validation certificates, for which the identity of an applicant is better controlled. Those certificates are identified by a large green bar in the browser, showing the company name.


In: Technology & Gadgets Asked By: [15471 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »