lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB0146C0E7@mtv-corpmail.microfocus.com>
Date: Tue, 23 Sep 2003 09:22:51 -0700
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: BugTraq <bugtraq@...urityfocus.com>
Cc: N407ER <n407er@...ealbox.com>, rms@...puterbytesman.com
Subject: RE: Does VeriSign's SiteFinder service violate the ECPA?


> From: N407ER [mailto:n407er@...ealbox.com] 
> Sent: Tuesday, September 23, 2003 10:43 AM
> 
> By this logic, all webservers which unintentionally accept traffic 
> without somehow verifying that a typo did not take place violate the 
> ECPA. Thats ridiculous. Do you really want a precedent where, if someone 
> accidentally POSTs bank information to your site instead of the URL 
> they meant to type, you are somehow liable?

IANAL, but the law recognizes degrees of liability.  It's far less likely
that someone mistypes a URL and ends up with another valid FQDN, than ends
up with garbage that sends them to SiteFinder.  By choosing to make it so
easy for data to be misdirected to SF, Verisign has arguably taken on
greater liability.

On a more practical note, by potentially exposing many, many users to data
misdirection, Verislime opens itself to class-action lawsuits.

Verisign executives appear to enjoy dancing on the edge of a precipice.  The
CA business is essentially an unregulated financial service; if e-commerce
continues to grow, that won't last.  The DNS business is an unnatural
monopoly.  Verisign has screwed up royally in both (the bogus Microsoft
certificates and the sex.com transfer).  Sooner or later someone with the
right resources will get sufficiently pissed to see them ground under the
government's thumb.  Whether that happens through regulation or the courts
is the only real question.

And while there may well be unfortunate long-term effects, it'll be hard not
to feel a degree of glee in the moment.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ