Skip to Content.
Sympa Menu

technical-discuss - [InC-Technical] A good example of why it's critical to verify the signature on metadata (and why relying on TLS for trust is bad)

Subject: InCommon Technical Discussions

List archive

[InC-Technical] A good example of why it's critical to verify the signature on metadata (and why relying on TLS for trust is bad)


Chronological Thread 
  • From: Nick Roy <>
  • To: Nick Roy <>
  • Subject: [InC-Technical] A good example of why it's critical to verify the signature on metadata (and why relying on TLS for trust is bad)
  • Date: Tue, 24 Apr 2018 19:00:07 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:P21EjxcnZ1yNC5AE/4+HdLeIlGMj4u6mDksu8pMizoh2WeGdxc26ZxaN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4KB3RRLmlCsLKic1/H3KhsdtiK5XvRKsqxl5zoXJYo+aKeB+c7vdc90EWGRBQshfWS9AAoygYIUAAPEMPfpBr4Xhu1cCsQeyCReqCejyyjFInHj23agi3uo5EAHJwA8gFM8SvnTTrNT+KaAfUeavzKnPzTTOdPJW2THh6IfWaBAhp++DXa5ufcbL10YgCh7Fg0yWpIf4MT2V0eENvHKa7+pmTe+glmknqxxqrTir2MgskpTJhoYOyl/e7yV12po6Jdq9SEN9fNWqE4NQujmHO4dqTc4uWW5ltSQgxrAJp5K3ZjUGxIo7yxLHdvCKcoaF7gj9WOuRLzp0nn1odb2lixuy80Ws0uP8Wde33VpWqydIl9jBum0R2BHc78WKSvhw/km81TuKyQ/f9/pLLEQxmKbGKZMsxqA/m5wOukrZBCD2gl/5jKqOe0Uk5Oeo7+Pnb63+qJKAMIF4lg/zPr0zl8O9H+g0Kw8OUHOF9uim073j4FH5T65Njv0rlKnWrYrWJdwBpq6+Hw9azJos6wq+Dzeh1tQUh34HLE9ZeBKDiIjpPFLOLOrkAve4hlSgiDZrx/bYMb39GpjBM2TPnbj7cbty6UNQ0gU+wc5F655JFL0NPOr/Wkrru9zZCh85PRa0w+HiCNhl0IMeQ2WPA6+CPaPTt1+I+vwgI/OKZIALpDbxNeIp6ODzgn8kgVMdZ7Wm3YMLaHCkGfRrO0SZYXzwjdcGFGcKuw0+TOrwhF2FSz5TaG++X74m6T4nE4+mCYbDRpuxgLyawiu3BJxWZmZaCl+SC3focZuLW+sSZC6IPMBujyEEX6C7S4A9zRGuqBP6y71/I+rV/C0XqZXj1N1w5+3UkxE+7zt0D96S022UU2F7gH8HRz8w3KB+vUNy0FOD3bFljPxZDtxc++5JUhwhNZPHy+x6CsvyWh7aftuXUlqmQ9OmAS0vQdIrxd8BfVp9F8u4gh/dwiWqHuxdq7veIp0/8erm2Gm5c8BnzGfu1a89gkMgT9cVc2Cqm/gs2RLUAtvvkk6a35ytZOxI2jTK5U+Cy3aDpkdVTFQ2XKnYCyNMLnDKpMj0sxuRB4SlDq4qZ1IcxA==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
This is only peripherally related to why signed metadata is important,
but it should become apparent when you get to the part about a spoofed
TLS certificate.

https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Nick

  • [InC-Technical] A good example of why it's critical to verify the signature on metadata (and why relying on TLS for trust is bad), Nick Roy, 04/24/2018

Archive powered by MHonArc 2.6.19.

Top of Page