Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic

What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates: it alters the part of the certificate which specifies what website the certificate is for—for example changing www.eff.org to verify_fail.www.eff.org—and then signs the certificate and sends it on to your browser. Since the website listed on the certificate (verify_fail.www.eff.org) doesn’t match the website the user is actually visiting (www.eff.org), the browser shows a warning to the user.

Read the rest

Leave a Reply