[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4214EA5F.8010900@sdf.lonestar.org>
Date: Thu, 17 Feb 2005 14:02:55 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: davids@...master.com
Cc: kbo@....tiscali.de, Vincent Archer <var@...y-all.com>,
bugtraq@...urityfocus.com, Scott Gifford <sgifford@...pectclass.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.
David Schwartz wrote:
>>Wow. You just conceded that there is significant pressure on major
>>vendors to not counter the CA, and then claimed that some ethereal other
>>would magically be able to enforce it where Symantec couldn't.
>>
>>
>
> What?! I did nothing of the sort. My "then" follows his "if". It does not
>concede that his "if" is true, in fact I think it's preposterous.
>
>
Refusing to address a point in an argument and responding with "then
someone else would have" is, by definition, conceding the point.
It's not a preposterous point. Why should Symantec use their AV product
to police the CA market? How about their other products? It would only
happen when it benefits them to do so, and that will only happen if the
CAs completely fail to do their duties.
>
>
>>Market demand sometimes does create solutions, however to claim that it
>>does without fail is a bit naive.
>>
>>
>
> Didn't say that.
>
>
Yes, you did say that. Look back in the thread. You were saying "The
market will provide a solution". I said that that was naive. Your
retort was "didn't say that".
Are you conceding more points or just ignoring your own arguments?
>>So, if not Symantec, then who else do you propose would?
>>
>>
>
> Lavasoft, Computer Associates, Bazooka, Webroot, Zone Labs, and pretty much
>every other computer security vendor.
>
>
The same pressures that affected Symantec would affect them.
>>History disagrees with you. So do a number of economists.
>>
>>
>
> First of all, the unusual circumstances have occured in distorted markets.
>
>
All markets have the potential to be distorted. And any sober review of
any market will find most of these practices in place to one degree or
another.
>Second, it took awhile for people to learn that these strategies almost
>never work and to figure out precisely under what circumstances they do
>work.
>
>
Sure, they didn't know the best way to cheat people at first. All
solutions are better managed after trial and error. The problem with
your argument is that there is corruption in the markets, or are you
arguing that corruption is dead and all markets fix themselves? That
would seem a bit assinine to me. I guess you'll just respond with "I
never said that markets correct themselves..." :)
>>It would harm them, yes, but they very well can get away with it.
>>
>>
>
> Right, until it harms the users.
>
>
Correction: until it materially harms the user enough to address the
issue. All decisions have a cost/benefit basis to them.
>
>>It's interesting how you cite market dynamics in your arguments, but
>>disregard them when they aren't favorable to your point.
>>
>>
>
> How so?
>
>
Because you're neglecting to consider important factors in the markets
that are affected by this particular bug and, in fact, all CA root cert
revocations on the part of browser producers and when I bring them up,
you ignore them. Ignoring them makes it appear that you're being
selective in your positions.
>
> Or people set up that CA to a lower level of trust where they know the
>certificate has come from a CA they don't fully trust. Or maybe they
>download a list of certificates manually from that CA and don't trust
>unknown CAs without querying them with a third party. Or maybe, ...
>
> You can't predict how the market will work.
>
>
Of course not - I can only speculate based on factors at work at the
time. The same goes for yourself.
>
> There is a market in keeping users ignorant. So long as things "just work"
>users can stay ignorant, and I assure you, if CAs create a situation that
>doesn't "just work", someone else will work hard to come up with a solution
>to keep things that way.
>
>
Whoa whoa whoa. We're not talking about CAs creating a situation where
things don't "just work". Not in the least.
We're talking about the current IDN "bug" and the CAs dealing with
that. Someone else already answered that point by (correctly) stating
that it is not the responsibility of the CAs to protect people from
things like that.
My point is that even if it were their responsibility, you can't just
explicitely trust them to do so. Their accountability in dealing with
it is limited because as long as they are providing their service, they
won't be harmed.
If that situation became the norm, obviously - over time - that CA would
be obsoleted.
However, in the current context we're not talking about the CA system
failing.
>
>
>>There are millions of people out there who don't trust the MPAA or the
>>RIAA, for that matter. Not having the trust of the people hasn't
>>stopped them. Again, you've chosen a very poor example.
>>
>>
>
> No, the issue (with the MPAA, I'm not sure how the RIAA got into this) is
>not that people trust or don't trust them, the issue is that all they have
>to sell is their trust. For the vast majority of people, trusting the MPAA
>has never caused them a problem. So the alternatives to the MPAA only target
>very specialized markets.
>
>
The average person doesn't have a choice. The MPAA is, effectively, a
trust and a control for the movie industry. Looking through my own
movie collection, I don't have many movies that aren't associated with
the MPAA and I think I'd be hardpressed to find more than five.
The average person doesn't have a trust relationship with the MPAA.
It's more of a dictatorial relationship. People buy or go watch movies
and, if the product is defective, they return it. There's not much of a
trust relationship there to speak of.
Hell, most people don't even trust the MPAA to properly rate movies.
>
>
>>The market does not inherently protect people. Anyone who believes that
>>is reality impaired and doesn't have a very good understanding of
>>history nor economics.
>>
>>
>
> That's not what I'm saying. I'm saying CAs have a huge interest in making
>sure their customers don't get harmed by their actions.
>
>
>
Yes, they have an interest in providing their services in the way that
is economically feasible to achieve their best goals. Obviously, they
don't want to see their customers harmed by their actions. However,
it's a leap of faith to go from that to "they will provide the best
service ever possible".
-Barry
Powered by blists - more mailing lists