| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Sep 2011 16:23:50 +0700 From: JT S <whytehorse@...il.com> To: coderman <coderman@...il.com> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: Western Union Certificate Error Non-authoritative answer: Name: wumt.westernunion.com Address: 206.201.228.250 Non-authoritative answer: Name: www.westernunion.com Address: 206.201.228.250 Yeah it looks like either human error or DNS. I didn't check the IPs at the time but perhaps they were different for www and wumt. Is there some way to take a certificate such as this one and manually verify it? I know the browsers automatically check the CRL and the signature of the CA but that doesn't help when you have a CA that has been compromised and doesn't know what certificates are out there to revoke. For all I know, anyone who breaks into any CA which is trusted by my browser can issue and sign a cert for any domain and the browser will blindly accept it. I personally would prefer that the browsers only trust keys that I have signed, have low trust for keys signed by keys I have signed, and no trust for the rest. I'd really like the ability to walk into western union or my bank or local google office and sign their key as well as the ability to revoke my signature without revoking my key. Finally, I'd like to see DNSSEC integrated at the browser layer so that the DNS record has a signature that matches the key I've signed. If the ISPs can ensure their routers direct the traffic to the right IPs from the clients, then we'd be half-way secure in knowing that the party on the other end is who we think it is. On Fri, Sep 9, 2011 at 12:10 PM, coderman <coderman@...il.com> wrote: > On Thu, Sep 8, 2011 at 3:07 PM, <Valdis.Kletnieks@...edu> wrote: >> ... >> And look at the DNS info as seen from here: >> >> www.westernunion.com. 30 IN A 206.201.228.250 >> wumt.westernunion.com. 30 IN A 206.201.227.250 >> >> Naah, no possible way to screw that up. ;) > > check the google cert and observ. it's been in use legitimately for > months. (they just fucked up a deploy. attrition in the QA staff or > just negligence? :) > > most mismatches of CA signed certs are due to human error of a > failboat nature. hoof beats for horses not zebras, etc... > CONFIDENTIALITY NOTICE This E-Mail transmission (and/or the documents accompanying it) is for the sole use of the intended recipient(s) and may contain information protected by the attorney-client privilege, the attorney-work-product doctrine or other applicable privileges or confidentiality laws or regulations. If you are not an intended recipient, you may not review, use, copy, disclose or distribute this message or any of the information contained in this message to anyone. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message and any attachments. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists