lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 25 Sep 2003 10:47:02 -0400
From: Justin Hahn <jeh@...fitlogic.com>
To: 'Christopher Wagner' <chrisw@...aids.com>,
	'N407ER' <n407er@...ealbox.com>,
	"'Richard M. Smith'" <rms@...puterbytesman.com>
Cc: "'BUGTRAQ@...URITYFOCUS. COM'" <BUGTRAQ@...URITYFOCUS.COM>
Subject: RE: Does VeriSign's SiteFinder service violate the ECPA?


> The point I think Mr. Smith is trying to make is that Verisign seems
> to *want* to intercept this private information and use it to their
> own commercial advantage.  Respectable sysadmins do not wish to receive
> form data intended for other sites.

As an aside, I find it very curious that people characterize HTTP
traffic done in the clear (i.e. unencrypted) on the public internet
as private data. If I shout my Social Security Number out loud in
public, I am surely to blame for any losses I might incur from this act.
HTTP traffic on the net is nominally analogous.

Now, if they were using some sort of wildcard SSL cert (technically, this is
doable. Most browsers support a wildcard CN cert, but curiously Verisign is
one of the CAs that DOESN'T issue them.) then it'd be a different story.

Something to consider is if I've got a website foobar.com and it's a secure
site, what happens if I accidentally direct traffic to foobarrr.com, which
is actually SiteFinder+SSL. Hopefully the browser will alert the user that
they are connecting to a different site with a different cert. However, it's
quite likely that won't happen. (and if it does, I'm betting it's one of the
popups that most users disable.)

I'd be careful making legal arguments, but I suspect that if Verisign is
doing anything with this data they are justifying it as being "Public" and
that if people are foolish enough to transmit "Private" data in a "Public" 
medium they can't be held liable. (But of course, that's for the courts to
decide, and I wouldn't shed a tear if a judge disagreed with that 
interpretation.)

--jeh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ