Another use case for #cve20200601 #curveball
After my:
- Authenticode: https://twitter.com/gentilkiwi/status/1217731204373499904 … & https://twitter.com/gentilkiwi/status/1217856535918936072 …
- Outlook S/MIME: https://twitter.com/gentilkiwi/status/1218204246346293249 …
now... Microsoft Word, Excel & PowerPoint
(already existing many TLS browser POC, I will not make another one)pic.twitter.com/SFPKe2Nzdw
-
Show this thread
-
"Kiwi Legit Authority" does not appear valid in certificate box, but appear valid in the signature one
2 replies 0 retweets 6 likesShow this thread
Replying to @gentilkiwi
Will Dormann Retweeted Will Dormann
Yes, there seems to be a diffence between the validity of the chain as checked by Windows vs viewing the certificate.https://twitter.com/wdormann/status/1217820750079352832 …
Will Dormann added,
Will Dormann @wdormann
CVE-2020-0601 :
Read @moxie's SSL And The Future Of Authenticity
https://moxie.org/blog/ssl-and-the-future-of-authenticity/ …
Though in this case it's not a rogue CA, but a Windows flaw that allows a certificate to claim to be issued by a CA that it wasn't.
HTTPS spoofing is *one* example. Use your imagination here. pic.twitter.com/YSPnY7HYyh
Show this thread
1:01 PM - 17 Jan 2020
0 replies
3 retweets
3 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.