lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Feb 2005 16:24:48 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: Vincent Archer <var@...y-all.com>, bugtraq@...urityfocus.com,
	Scott Gifford <sgifford@...pectclass.com>,
	David Schwartz <davids@...master.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


Thor (Hammer of God) wrote:

>
> Of course the CA has to gain the trust of the users... There are many 
> uses for client-based certificates: code signing, user verification, 
> email encryption, automatic mapping of user account to personal 
> certificates, blah blah blah.  The business model of commercial CA's 
> is most certainly not limited to server operators only.   While 
> personal certificate stores come with pre-trusted root certificates 
> from many CA's to automatically trust many server-based functions, 
> there is a vast market for client certs.
>
Yes, and how many average users do you know of who know this?

I know quite a number of average users and know of absolutely 0 who 
would be aware of this.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ