[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43FECB94.6010308@secorvo.de>
Date: Fri, 24 Feb 2006 10:02:12 +0100
From: Stefan Kelm <stefan.kelm@...orvo.de>
To: bugtraq@...urityfocus.com
Subject: Re: Amazon phishing scam on Yahoo servers
> Surely someone, somewhere, has to take some responsibility for allowing
> domains to be created which are clearly and obviously bogus. Who could
> possibly have a reason to register paypal-unlocking.net?
The problem is, there's no such thing as a domain which is,
or which is not "clearly and obviously bogus". There won't
be internationally applicable rules (i.e., blacklists and
whitelists) that describe the "validity" of domain names.
What if there actually exists a company called paypal
unlocking (TM) somewhere in the remote outskirts of a tasmanian
village? We simply can't build security mechanisms which rely
on domain names. That has been, and still is, the
major problem with protocols like SSL/TLS which are
otherwise technically sound.
Cheers,
Stefan.
-------------------------------------------------------
Stefan Kelm
Security Consultant
Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm@...orvo.de, http://www.secorvo.de/
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
Powered by blists - more mailing lists