lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4214AE3D.5090800@sdf.lonestar.org>
Date: Thu, 17 Feb 2005 09:46:21 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: davids@...master.com, kbo@....tiscali.de,
	Vincent Archer <var@...y-all.com>, bugtraq@...urityfocus.com,
	Scott Gifford <sgifford@...pectclass.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


Thor (Hammer of God) wrote:

>
> Hmmm...  I'm confused now... You just said in your last post that 
> average users don't want, need, or know how certificates work, and how 
> your previous (and specious) point stood because of that fact.  Yet 
> here, you state that enough of a backlash from these users exists to 
> keep a global entity like Symantec from taking action should they 
> revoke a trusted CA from a users' certificate store even though the 
> user (according to you) didn't know they trusted in the first place.   
> Explain that.

Simple.  If a major CA root is revoked, a large number of major sites 
will all start displaying browser warnings which will be an annoyance to 
the user, causing at least a decent percentage of them to question why 
they are getting a constantly recurring pop-up whenever they go to a 
large number of sites.

Users are only interested (and not always so, but often) in things that 
pop up in front of their faces and annoy them. 

The user wasn't aware of the CA before (since a root CA being 
automatically accepted by a browser will result in no warning message 
for the user on sites that use certs supplied by the CA) but  are aware 
that something is up (and annoying) after (if) they update their browser.

So, no - it's neither specious nor is it confusing.  It just requires 
some common sense and actual exposure to the user population.  Something 
which some people here seem to be lacking.

>
>> Comparing CA accountability to meat sales isn't a valid analogy. 
>> Obviously, the CAs don't want to be regulated, but trusting them 
>> because of this is a bit like saying that business owners would never 
>> short-pay an employee because of fear of what the employees would do.
>
>
> David was not comparing accountability to sales.  He compared trust to 
> trust.  Pretty simple stuff.

David is the one who used the term sales - bring it up with him.  Yeah, 
pretty simple stuff - which is why I disagreed with it.



>
>
>> Also, the fact that the CA market is competitive only further muddies 
>> the waters.  Not all CAs are in the same country and their 
>> competition forces them to be price-competitive.  This reduces the 
>> priority of being responsible.  Or, to use your meat analogy, 
>> mass-produced meat tends to be of a lower quality than individually 
>> produced meat products, particularly in unregulated countries.
>
>
> I acquiesce.  I failed to take into account the multi-national 
> not-for-profit CA's out there making a killing by scooping up the free 
> end-user business that you claim does not exist in the first place.

Who said anything about not-for-profit?

>
>> People who think that the market will inherently protect them have 
>> been reading too much Ayn Rand and need to step away from the 
>> fiction-proposed-as-fact isle.  No offense meant by that - it's said 
>> tongue-in-cheek.  :)
>
>
> No Barry, we just understand that the market corrects itself in these 
> matters.  That's how the market works.  Once upon a time, there was no 
> such thing as a certificate.  Now it is a billion dollar biz.  It has 
> nothing to do with the BBB or who you think is the average user.  I 
> deploy and maintain an extensive PKI infrastructure for my company as 
> I do for many of my clients.  I'm happy to engage in further dialog 
> regarding this subject so that I may have the opportunity to learn 
> something, but before I do so, I'd like to get a glimpse into the vast 
> PKI infrastructure you maintain so that I may prioritize your input.   
> Please describe your Cert/PKI infrastructure so that we may all 
> benefit from your knowledge.
>
Suffice it to say that I'm involved in maintaining one for a very large 
corportation. 

Frankly, I could care less how you prioritize what I say.  You clearly 
have your own opinions on the matter, I personally feel that they don't 
take into account factors that are important.

You talk about browsers revoking trust in CAs as if it has no impact on 
the end user.

You talk as if it's a simple proposition for Microsoft or any other 
browser manufacturer to revoke a CA trust.

I'm saying that it's not, and that the browsers have to consider the 
affects on their customers.  I'm also saying that corporations, in this 
case, don't always make the secure decision, but rather the decision 
that gives the user the greatest amount of likelihood of using their 
product.

If you disagree with this concept, I say that you're wrong.

It is a simple concept, yet you are continuing to disagree with it.

I'm sorry if you don't feel like you can learn anything from me, but I'm 
not here to teach you.  I'm simply saying that you are not taking all of 
the factors into account.  Feel free to disagree with that, but you'd 
still be wrong.

The CA and browser markets do not exist in a vacuum.  

             -Barry





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ