Hackers can mess with HTTPS connections by sending data to your email server

by
Dan Goodin
from Ars Technica - All content on (#5JVHC)
web-security-800x450.jpeg

Enlarge (credit: Getty Images)

When you visit an HTTPS-protected website, your browser doesn't exchange data with the webserver until it has ensured that the site's digital certificate is valid. That prevents hackers with the ability to monitor or modify data passing between you and the site from obtaining authentication cookies or executing malicious code on the visiting device.

But what would happen if a man-in-the-middle attacker could confuse the browser into accidentally connecting to an email server or FTP server that uses a certificate that's compatible with the one used by the website?

The perils of speaking HTTPS to an email server

Because the domain name of the website matches the domain name in the email or FTP server certificate, the browser will, in many cases, establish a Transport Layer Security connection with one of these servers rather than the website the user intended to visit.

Read 14 remaining paragraphs | Comments

index?i=2H4-NPrXJBU:cvQZm7z_K_A:V_sGLiPB index?i=2H4-NPrXJBU:cvQZm7z_K_A:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments