lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Feb 2005 13:53:55 -0800
From: "David Schwartz" <davids@...master.com>
To: <bkfsec@....lonestar.org>, <kbo@....tiscali.de>
Cc: "Vincent Archer" <var@...y-all.com>, <bugtraq@...urityfocus.com>,
	"Scott Gifford" <sgifford@...pectclass.com>
Subject: RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.



> My proposition is that the argument that they (and their associated webs
> of trust) are inherently trustworthy because of external pressures is a
> flawed assumption because they do not have the proposed level of
> pressure applied to them since most of the people affected by their web
> of trust don't understand it.

	They don't have to. I don't understand how my supermarket gets their meat,
but I trust them to use safe sources because I know that if they didn't
those who do understand would tell me, and then I'd figure out a way to
avoid it.

	No CA wants to find out what market forces will appear as soon as they
prove to be untrustworthy. There are already many vehicles for immediately
deploying blacklists. For example, Symantec could release an update for any
of their security products that removed a root CA. It wouldn't take more
than a small percent of web users to have a problem with a CA before people
wouldn't want their certificates to be signed by that CA.

	The CA market is competitive.

	DS




Powered by blists - more mailing lists