lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4214EA5F.8010900@sdf.lonestar.org>
Date: Thu, 17 Feb 2005 14:02:55 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: davids@...master.com
Cc: kbo@....tiscali.de, Vincent Archer <var@...y-all.com>,
	bugtraq@...urityfocus.com, Scott Gifford <sgifford@...pectclass.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


David Schwartz wrote:

>>Wow.  You just conceded that there is significant pressure on major
>>vendors to not counter the CA, and then claimed that some ethereal other
>>would magically be able to enforce it where Symantec couldn't.
>>    
>>
>
>	What?! I did nothing of the sort. My "then" follows his "if". It does not
>concede that his "if" is true, in fact I think it's preposterous.
>  
>
Refusing to address a point in an argument and responding with "then 
someone else would have" is, by definition, conceding the point.

It's not a preposterous point.  Why should Symantec use their AV product 
to police the CA market?  How about their other products?  It would only 
happen when it benefits them to do so, and that will only happen if the 
CAs completely fail to do their duties.

>  
>
>>Market demand sometimes does create solutions, however to claim that it
>>does without fail is a bit naive.
>>    
>>
>
>	Didn't say that.
>  
>
Yes, you did say that.  Look back in the thread.  You were saying "The 
market will provide a solution".  I said that that was naive.  Your 
retort was "didn't say that".

Are you conceding more points or just ignoring your own arguments?

>>So, if not Symantec, then who else do you propose would?
>>    
>>
>
>	Lavasoft, Computer Associates, Bazooka, Webroot, Zone Labs, and pretty much
>every other computer security vendor.
>  
>
The same pressures that affected Symantec would affect them.



>>History disagrees with you.  So do a number of economists.
>>    
>>
>
>	First of all, the unusual circumstances have occured in distorted markets.
>  
>
All markets have the potential to be distorted.  And any sober review of 
any market will find most of these practices in place to one degree or 
another.

>Second, it took awhile for people to learn that these strategies almost
>never work and to figure out precisely under what circumstances they do
>work. 
>  
>
Sure, they didn't know the best way to cheat people at first.  All 
solutions are better managed after trial and error.  The problem with 
your argument is that there is corruption in the markets, or are you 
arguing that corruption is dead and all markets fix themselves?  That 
would seem a bit assinine to me.  I guess you'll just respond with "I 
never said that markets correct themselves..." :)


>>It would harm them, yes, but they very well can get away with it.
>>    
>>
>
>	Right, until it harms the users.
>  
>
Correction: until it materially harms the user enough to address the 
issue.  All decisions have a cost/benefit basis to them.

>
>>It's interesting how you cite market dynamics in your arguments, but
>>disregard them when they aren't favorable to your point.
>>    
>>
>
>	How so?
>  
>
Because you're neglecting to consider important factors in the markets 
that are affected by this particular bug and, in fact, all CA root cert 
revocations on the part of browser producers and when I bring them up, 
you ignore them.  Ignoring them makes it appear that you're being 
selective in your positions.

>
>	Or people set up that CA to a lower level of trust where they know the
>certificate has come from a CA they don't fully trust. Or maybe they
>download a list of certificates manually from that CA and don't trust
>unknown CAs without querying them with a third party. Or maybe, ...
>
>	You can't predict how the market will work.
>  
>
Of course not - I can only speculate based on factors at work at the 
time.   The same goes for yourself.



>
>	There is a market in keeping users ignorant. So long as things "just work"
>users can stay ignorant, and I assure you, if CAs create a situation that
>doesn't "just work", someone else will work hard to come up with a solution
>to keep things that way.
>  
>
Whoa whoa whoa.  We're not talking about CAs creating a situation where 
things don't "just work".  Not in the least.

We're talking about the current IDN "bug" and the CAs dealing with 
that.   Someone else already answered that point by (correctly) stating 
that it is not the responsibility of the CAs to protect people from 
things like that.

My point is that even if it were their responsibility, you can't just 
explicitely trust them to do so.  Their accountability in dealing with 
it is limited because as long as they are providing their service, they 
won't be harmed.

If that situation became the norm, obviously - over time - that CA would 
be obsoleted.

However, in the current context we're not talking about the CA system 
failing.


>  
>
>>There are millions of people out there who don't trust the MPAA or the
>>RIAA, for that matter.  Not having the trust of the people hasn't
>>stopped them.  Again, you've chosen a very poor example.
>>    
>>
>
>	No, the issue (with the MPAA, I'm not sure how the RIAA got into this) is
>not that people trust or don't trust them, the issue is that all they have
>to sell is their trust. For the vast majority of people, trusting the MPAA
>has never caused them a problem. So the alternatives to the MPAA only target
>very specialized markets.
>  
>
The average person doesn't have a choice.  The MPAA is, effectively, a 
trust and a control for the movie industry.  Looking through my own 
movie collection, I don't have many movies that aren't associated with 
the MPAA and I think I'd be hardpressed to find more than five.

The average person doesn't have a trust relationship with the MPAA.  
It's more of a dictatorial relationship.  People buy or go watch movies 
and, if the product is defective, they return it.  There's not much of a 
trust relationship there to speak of.

Hell, most people don't even trust the MPAA to properly rate movies.



>  
>
>>The market does not inherently protect people.  Anyone who believes that
>>is reality impaired and doesn't have a very good understanding of
>>history nor economics.
>>    
>>
>
>	That's not what I'm saying. I'm saying CAs have a huge interest in making
>sure their customers don't get harmed by their actions.
>
>	
>
Yes, they have an interest in providing their services in the way that 
is economically feasible to achieve their best goals.  Obviously, they 
don't want to see their customers harmed by their actions.   However, 
it's a leap of faith to go from that to "they will provide the best 
service ever possible". 

              -Barry




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ