| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Feb 2006 10:02:12 +0100 From: Stefan Kelm <stefan.kelm@...orvo.de> To: bugtraq@...urityfocus.com Subject: Re: Amazon phishing scam on Yahoo servers > Surely someone, somewhere, has to take some responsibility for allowing > domains to be created which are clearly and obviously bogus. Who could > possibly have a reason to register paypal-unlocking.net? The problem is, there's no such thing as a domain which is, or which is not "clearly and obviously bogus". There won't be internationally applicable rules (i.e., blacklists and whitelists) that describe the "validity" of domain names. What if there actually exists a company called paypal unlocking (TM) somewhere in the remote outskirts of a tasmanian village? We simply can't build security mechanisms which rely on domain names. That has been, and still is, the major problem with protocols like SSL/TLS which are otherwise technically sound. Cheers, Stefan. ------------------------------------------------------- Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 stefan.kelm@...orvo.de, http://www.secorvo.de/ ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
Powered by blists - more mailing lists