lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050217091248.GE61787@DAPCVA.da>
Date: Thu, 17 Feb 2005 10:12:48 +0100
From: Vincent Archer <var@...y-all.com>
To: bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.


On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
> 	I'm not assuming anything, I'm making an argument why it would be
> self-destructive for any CA to adopt such a strategy. That doesn't mean they
> won't do it, people certainly do stupid things when they think they can get
> away with it. But the fact is, CAs can't get away with it. So if they think
> they can, they will quickly be proven wrong.

Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?

Nothing. Except issuing a couple of "oops" certificate revocations.

I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.

Obviously, CA can get away with it. They merely have to say "oops", and
4 years later, they're still in all browsers. Heck, they're still in mine:
if I remove their root CA, all I get for my vigilance is lots of popups
insisting that the site I'm visiting is "not trusted".

> > People who think that the market will inherently protect them have been
> > reading too much Ayn Rand and need to step away from the
> > fiction-proposed-as-fact isle.  No offense meant by that - it's said
> > tongue-in-cheek.  :)
> 
> 	Except that it does. Especially when all a company has to sell is its
> trust. This is true in many markets where companies have specifically set up
> to sell trust. You don't see people bribing the MPAA or Consumer Reports.
> Because such things could not possibly be hidden, and there's an immediate
> market remedy (stop trusting).

Probably.

But the market pressure isn't there in the case of CA. Because 99% of the
"users" of CAs do not even know that CA even exists. CAs are not selling
the trust of users. They're selling slots in popular browsers to web sites.
They're not saying "we're trusted by people", they say "we're trusted by
browser makers".

-- 
Vincent ARCHER
varcher@...yall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ