lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43FECB94.6010308@secorvo.de>
Date: Fri, 24 Feb 2006 10:02:12 +0100
From: Stefan Kelm <stefan.kelm@...orvo.de>
To: bugtraq@...urityfocus.com
Subject: Re: Amazon phishing scam on Yahoo servers


> Surely someone, somewhere, has to take some responsibility for allowing
> domains to be created which are clearly and obviously bogus. Who could
> possibly have a reason to register paypal-unlocking.net?

The problem is, there's no such thing as a domain which is,
or which is not "clearly and obviously bogus". There won't
be internationally applicable rules (i.e., blacklists and
whitelists) that describe the "validity" of domain names.
What if there actually exists a company called paypal
unlocking (TM) somewhere in the remote outskirts of a tasmanian
village? We simply can't build security mechanisms which rely
on domain names. That has been, and still is, the
major problem with protocols like SSL/TLS which are
otherwise technically sound.

Cheers,

	Stefan.

-------------------------------------------------------
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm@...orvo.de, http://www.secorvo.de/
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ