[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050215153913.E52923@skink.reptiles.org>
Date: Tue, 15 Feb 2005 15:44:22 -0500 (EST)
From: Gwendolynn ferch Elydyr <gwen@...tiles.org>
To: bkfsec <bkfsec@....lonestar.org>
Cc: Scott Gifford <sgifford@...pectclass.com>,
Neil W Rickert <rickert+bt@...niu.edu>, bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.
On Tue, 15 Feb 2005, bkfsec wrote:
> The difference between CAs and the BBB is that the BBB is well known and
> highly accountable. CAs are not necessarily.
> There is no widely screened public discussion or understanding of the
> function of CAs. The accepted root CAs do their jobs on the browser entirely
> in the background. Their "seal of approval" is considered implicit by the
> lack of a message at all.
The BBB is certainly well known, but describing it as highly accountable
is certainly inaccurate. A quick web search will inform you that the
BBB has local 'affiliates', and that the quality of these 'affiliates'
can vary dramatically from location to location.
There's no widely screened public discussion or understanding of the
function of the BBB - and their seal of approval certainly appears on
sites and businesses they've never heard of.
cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
Powered by blists - more mailing lists