Hello,
this is my first question here. I didn't find any solution scrolling the web (google, ...), that's why i'm posting a question here.
We have a website written in asp on IIS 6. The clients (companies) uses our website to post messages to their developers about issues and new orders. Let's say you want to send a service message to your developer and you both use our website. You have to login using a signed certificate and then go to send message section and post a message. All works great, at all steps we implemented the security to need a valid certificate. Even to post a message, because this message can be worth a lot of money (order new product from developers, ...).
Last week one of our client address us a question about faking certificates. Well certificates must be issued by 4 different private authorities (others are not accepted), the concern here is that they hired some security team to check it out. And they say to us that they could easily break in and post messages only by knowing CERT_SUBJECT of the client. The CERT_SUBJECT is stored in database (MSSQL), and their real concern is if someone would steal this information.
So what i would like to know is:
- is it possible to pass cert_subject somehow not having certificate?
- if so how? are there any tools? i found none only to fake http headers
- is it possible to avoid this security issue?
- are they lying to us so that they would receive some bonus or less payments???
- can this be done also over linux/unix?
- is it possible they had one cert from the same authority and changed cert_subject in it? Can certificates be easily modified/edited?
edited
- i just found something is it maybe possible doing this with curl?
They said to us they saw this happening and that we also know how to make this but no one of us know this, so please if someone can help me.
Thank you, Jaka Razgorsek
Submit an article or tip