lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4213CA76.40901@sdf.lonestar.org>
Date: Wed, 16 Feb 2005 17:34:30 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: davids@...master.com
Cc: kbo@....tiscali.de, Vincent Archer <var@...y-all.com>,
	bugtraq@...urityfocus.com, Scott Gifford <sgifford@...pectclass.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


David Schwartz wrote:

>>My proposition is that the argument that they (and their associated webs
>>of trust) are inherently trustworthy because of external pressures is a
>>flawed assumption because they do not have the proposed level of
>>pressure applied to them since most of the people affected by their web
>>of trust don't understand it.
>>    
>>
>
>	They don't have to. I don't understand how my supermarket gets their meat,
>but I trust them to use safe sources because I know that if they didn't
>those who do understand would tell me, and then I'd figure out a way to
>avoid it.
>
>	No CA wants to find out what market forces will appear as soon as they
>prove to be untrustworthy. There are already many vehicles for immediately
>deploying blacklists. For example, Symantec could release an update for any
>of their security products that removed a root CA. It wouldn't take more
>than a small percent of web users to have a problem with a CA before people
>wouldn't want their certificates to be signed by that CA.
>
>	
>
Symantec wouldn't do this.  The backlash they would recieve from angry 
users alone would be enough to discourage it, nevermind the potential 
for legal problems.

Comparing CA accountability to meat sales isn't a valid analogy.  
Obviously, the CAs don't want to be regulated, but trusting them because 
of this is a bit like saying that business owners would never short-pay 
an employee because of fear of what the employees would do.

It's also like saying that corporations never form trusts and price fix 
for fear of the consumer.

Obviously, both of these assumptions are wrong and the assumption 
regarding CAs is also wrong.  The fact that it is assumed in the first 
place is *the problem*.

Also, the fact that the CA market is competitive only further muddies 
the waters.  Not all CAs are in the same country and their competition 
forces them to be price-competitive.  This reduces the priority of being 
responsible.  Or, to use your meat analogy, mass-produced meat tends to 
be of a lower quality than individually produced meat products, 
particularly in unregulated countries. 

People who think that the market will inherently protect them have been 
reading too much Ayn Rand and need to step away from the 
fiction-proposed-as-fact isle.  No offense meant by that - it's said 
tongue-in-cheek.  :)

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ