lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB01C3C619@mtv-corpmail.microfocus.com>
Date: Mon, 14 Feb 2005 06:32:41 -0800
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: bugtraq@...urityfocus.com
Cc: Scott Gifford <sgifford@...pectclass.com>
Subject: RE: International Domain Name [IDN] support in modern browsers al
	lows    attackers to spoof domain name URLs + SSL certs.


> From: Scott Gifford [mailto:sgifford@...pectclass.com] 
> Sent: Friday, 11 February, 2005 14:07
> 
> Isn't this the entire reason for browsers coming with a
> small list of CAs which are deemed trustworthy?

What "small list"?  IE contains root certificates with server-authentication
rights from some 37 organizations.  That's not the number of roots - that's
the number of organizations who have gotten Microsoft to include one or more
roots.

Do you deem all of them trustworthy?  Do you even have any idea who they
are?  Do you suppose that the vast majority of users even know what a root
cert or a CA is?  They put their trust in "the system" - they've been told
that it's safe to reveal sensitive information if they see a little padlock
icon in their browser.

Anything that makes it easier for an attacker to confuse that class of user
- the dominant class - about what site they're actually using when that
little padlock appears is *in practice* a serious security risk.  It doesn't
matter whether it's well-intentioned or technically elegant; it's a problem,
and CAs are not going to save us from it.

Unfortunately, while it might appear that Verisign has shot itself in the
foot with IDNs, in practice they have monopolistic power and a market which
doesn't understand the product they're selling, and consequently can't make
rational decisions.  (Not that consumers generally make rational decisions
anyway.)  Verisign can probably devalue its own product pretty much
arbitrarily without significant bottom-line impact.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ