|
|
|
|
|
|
by some_furry
63 days ago
|
|
|
> How can you falsely revoke a certificate? If you don't have the private key on hand to issue a revocation, your next best bet is to find a parser bug that convinces some subset of user agents that the valid certificate you don't hold the private key for is actually invalid. (Hence, a false revocation.) And then, get those users into the habit of accepting invalid/revoked certificates if they want to access the site. And then after weeks of battling against their patience or endurance, then you offer an invalid cert for a MitM. That's how I was thinking of it, anyway. |
|
|