[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040927145031.GA7299@bednar.sk>
Date: Mon, 27 Sep 2004 16:50:31 +0200
From: Juraj Bednar <juraj@...nar.sk>
To: Daniel Veditz <dveditz@...zio.com>, bugtraq@...urityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"
Hello,
> How does that help in practice? A user fooled by a link to ebay-support.com
> is just as likely to accept signed mail from foo@...y-support.com. Not to
> mention that the potential profits from phishing could easily finance the
> purchase of a forged cert if someone at one of the built-in CA's was
> corruptible. Given the several that are based in 3rd world companies (not to
> mention recent US corporate scandals) I have no confidence that won't
> eventually happen.
it is quite possible, I had success of convincing U.S. CAs of issuing me
a certificate, while they shouldn't. I once wrote an article about it to
2600.
Seems like most CAs are more capable of selling certificates than
providing real security checks, which are usually done by using that
same insecure channels, that they are trying to protect.
For example:
- a fax of business license (which for example in our country can be
get by anyone)
- e-mail to one of the administrative contacts from whois database
(which can be -- if not protected -- changed by sending simple
e-mail, if your registrar uses RIPE).
- creating a file on the target webserver (which in turn is capable of
all those attacks, that SSL is trying to protect).
So basically, "hacking" CA is just paperwork, e-mail and browserwork.
You can read the article here:
http://files.juraj.bednar.sk/CA
(I'm not sure, if it's the latest version, that got published, so please
forbid any small mistakes, but you will get the point, hopefully).
I believe there are CAs, that are more secure even for e-mail. Here in
Slovakia, we have even law about electronic signatures, and you have to
go physically to CA, show your ID, passport and after you convince them,
you are the right person, they issue you a certificate (which is equal
to signature on paper). One particular issue is, that they guarantee
also your identity (not only the ability to read particular e-mail,
which often is checked by so-called CAs by sending e-mail to the target
address and user has to check the link, which does not guarantee
anything, but the ability to read the particular e-mail -- which we want
to protect from unauthorized users, right?).
Juraj.
Powered by blists - more mailing lists