On 3/05/2015 11:10 a.m., HackXBack wrote: > You mention this part : > Severity: > > The bug is important because it allows remote servers to bypass > client certificate validation. Some attackers may also be able > to use valid certificates for one domain signed by a global > Certificate Authority to abuse an unrelated domain. > > > you mean that there is a way to use certificate that signed by a global > certificate authority (Trusted CA) ? There was a possible way for some certificates which would also be abusing this bug to pass the global CA checks they do before signing. > if yes then we can use it and then no need to import our self certificate in > client browser to force it as trusted ? No. The vulnerability was attack traffic having the attackers certificate removed and re-encrypted using *yours*. The clients always have to trust your certificate. You cannot use one of the attacker-type certificates in Squid because a) they are not CA signing certificates, and b) they are "broken" in ways that clients should already validate against. That is why server-first mode is not vulnerable when client-first is. In server-first mode the breakage gets mimic'd and the client rejects the certificate (not Squid). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
