Proof of Concept using Javascript to load the original certificate

The CVE-2020-0601 requires that the original CA certificate is in your certificate cache, this website is using Javascript to load an example page using the correct certificate and will then redirect you to a webpage serving a fake, crafted certificate as a test.

This test is meant to demonstrate the validity of a fake certificate that works for *.ktp.dev domains and *.microsoft.com domains, as well as for github.com. It could be used as a certificate to do a man-in-the-middle attack.

• If you see "Hello World" on the next screen, you're vulnerable to CVE-2020-0601.
• If you get a certificate error, you're safe!

Exploit Me

Get more details, including the gory cryptographic details, by reading our write-up on our Research Blog!

Or get a good high level idea of the threat and how to mitigate it be reading our Modern CISO blog post on the topic.

Thanks to Scott Arciszewski for the Javascript code :)