| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42126048.2060601@sdf.lonestar.org>
Date: Tue, 15 Feb 2005 15:49:12 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: Gwendolynn ferch Elydyr <gwen@...tiles.org>
Cc: Scott Gifford <sgifford@...pectclass.com>,
Neil W Rickert <rickert+bt@...niu.edu>, bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.
Gwendolynn ferch Elydyr wrote:
> On Tue, 15 Feb 2005, bkfsec wrote:
>
>> The difference between CAs and the BBB is that the BBB is well known
>> and highly accountable. CAs are not necessarily. There is no widely
>> screened public discussion or understanding of the function of CAs.
>> The accepted root CAs do their jobs on the browser entirely in the
>> background. Their "seal of approval" is considered implicit by the
>> lack of a message at all.
>
>
> The BBB is certainly well known, but describing it as highly accountable
> is certainly inaccurate. A quick web search will inform you that the
> BBB has local 'affiliates', and that the quality of these 'affiliates'
> can vary dramatically from location to location.
>
> There's no widely screened public discussion or understanding of the
> function of the BBB - and their seal of approval certainly appears on
> sites and businesses they've never heard of.
>
>
Well, I meant more accountable than CAs are. I still think that that
statement is accurate if you take my meaning.
-Barry
Powered by blists - more mailing lists