科技回声

<p><pre><code> Issuer: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/emailAddress=martyn.inglis@guardian.co.uk Subject: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/emailAddress=martyn.inglis@guardian.co.uk </code></pre> This isn't the Guardian's certificate. It's self-signed, for starters.

This is just a self-signed cert.

HTTPS does not seem to be properly configured on their servers anyway, I get an "You attempted to reach www.theguardian.com, but instead you actually reached a server identifying itself as *.a.ssl.fastly.net." error when trying to connect over HTTPS.<p>That's interesting because they do have content protected by a sign in system. Are they just not using HTTPS for that? I kind of expected more from the Guardian.

Wouldn't this allow someone to do a full man in the middle attack with a compromised server/dns server?

So now anyone snooping on visitors to Guardian's site can decrypt the communication. Don't see why anyone would waste time on this given that there is no 'money' involved.

Yes, just checked now.

it's not the real one it's a test SSL cert

This is just a self-signed cert.

Wouldn't this allow someone to do a full man in the middle attack with a compromised server/dns server?

So now anyone snooping on visitors to Guardian's site can decrypt the communication. Don't see why anyone would waste time on this given that there is no 'money' involved.

Yes, just checked now.

it's not the real one it's a test SSL cert

The Guardian also open-sourced a test SSL cert

7 条评论

The Guardian also open-sourced a test SSL cert

7 条评论