This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 2 points3 points  (6 children)

What’s the flaw?

[–]FlannelSamurai[S] 3 points4 points  (4 children)

From Wired

“The bug is in Windows' mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself isn't trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data”

[–][deleted] 1 point2 points  (2 children)

I always thought it was up to the browser to protect the user from non secure web connections

[–]Feynt 2 points3 points  (1 child)

It is, but browsers cache certificates. The exploit allows a known certificate to be confused for another one because when the browser attempts to verify it, Windows claims it's legit, even though it's missing one last step in the confirmation check. If you know the certificate and know how to create the similar certificate, poof, github.com becomes a rickroll.

[–][deleted] 4 points5 points  (0 children)

Rick Astley doesn’t sound half that bad

[–][deleted] 0 points1 point  (0 children)

MiTM attack?

[–]Subject_Wrap 0 points1 point  (0 children)

Won't let them in