Andy Walker <awalker@nspank.invalid> wrote:

> True, I can't
> change the original information on the originating CA, but then your
> client won't be looking for the real CA anyway because the cert is
> signed by one of my bogus authorities.

And the client would warn its user because it doesn't recognize your bogus
authority. Unless you install your bogus CA certificate as trusted certs
into the client. You failed to answer that part again.

SSL certificates rely on the integrity of trusted CAs. Verisign signs your
certificate request for foo.bar.com only if they can verify (veri-sign,
clever, eh?) your authority over the real foo.bar.com. They won't sign a
certificate for your little proxy scheme.

> Better still, if I control
> your DNS I can make your client think I've got a honest to dog EV Cert
> with the green address bar and the feel good "verified by" bull****.

Worse still, it would not be valid because you simply do not possess the
secret key tied to the certificate signed by a trusted CA. You cannot
establish an authenticated session with a "honest to dog" cert signed by an
"honest to dog" CA. You probably don't even get the fingerprint right, that
the bank handed out to their clients on paper.

Why do you think anyone would pay good money for certificates if every Andy
Walker and his dog could fake one?