SSL and TLS are broken in many exciting ways. I’m just going to focus on one of these: revocation.
Certificate authorities (‘CAs’) tend to issue certificates with fairly long validity periods — a year is common. What do they do if they find that a certificate is bad before the year is up?
No, I didn’t solve it all. I did most of it, though, and one of the remaining bits is, I think, a bug in their server. There seem to be a fair few bugs, or at least rough edges.
The starting point is http://canyoucrackit.co.uk/ — if it’s still up by the time you read this. If not, I made a copy.
My father applied for a new credit card the other day. MumbleBank sent him an email notifying him about some security arrangements for the new account — the details aren’t important. This mail contained HTML content, and a link to MumbleBank’s website where he had to configure something. This is where the fun begins.
The link’s text said mumblebank.com/creditcard. The link target was http://mumblebankcreditcard/foo/. Obviously these aren’t the same. He knows enough to hover the mouse over the link and to get nervous when the link text doesn’t match the target URI.
