lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <42153BBE.7090900@ultra-secure.de>
Date: Fri, 18 Feb 2005 01:50:06 +0100
From: Rainer Duffner <rainer@...ra-secure.de>
To: Vincent Archer <var@...y-all.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


Vincent Archer wrote:

>On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>  
>
>>	I'm not assuming anything, I'm making an argument why it would be
>>self-destructive for any CA to adopt such a strategy. That doesn't mean they
>>won't do it, people certainly do stupid things when they think they can get
>>away with it. But the fact is, CAs can't get away with it. So if they think
>>they can, they will quickly be proven wrong.
>>    
>>
>
>Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
>somebody who simply said he was a Microsoft employee, and they didn't
>do any check about the identity of the person, what happened?
>
>Nothing. Except issuing a couple of "oops" certificate revocations.
>
>I can't even find a public announce by Verisign stating they would take
>actions to correct their own validation procedures and avoid repetition
>of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
>here hopes they fixed their procedures... but no one even knows.
>
>  
>

I, too, would be interested in some kind of "lessons learned"-document, 
describing why this could happen at all - and how Verisign wanted to 
avoid it in the future.

It's really a pitty that the root-CAs in browsers haven't been subject 
to more public scrutiny - now and back then.




cheers,
Rainer

-- 
===================================================
~     Rainer Duffner - rainer@...ra-secure.de     ~
~           Freising - Munich - Germany           ~
~    Unix - Linux - BSD - OpenSource - Security   ~
~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
===================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ