| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2466482E-B009-11D6-80C5-00039359BF60@sackheads.org> From: cerebus at sackheads.org (Timothy J.Miller) Subject: Anyone buy this? On Wednesday, August 14, 2002, at 06:54 PM, Fenris The Wolf wrote: > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ > news/IARWSV.asp I will say I'm not surprised. What else should be expected? > The identity of the attacker could easily be determined. To exploit the > vulnerability, the attacker would require a valid SSL digital > certificate, > issued by a trusted Certificate Authority. However, most commercial > Certificate Authorities require substantial proof of identity before > issuing > such a certificate, Yeah, just like Verisign confirmed the spoofer who got new signing certs issued to him in Microsoft's name. > The user would always have the ability to determine the truth. While this is certainly technically true, it's not *practically* true. The average user knows fsck-all about X.509 and certificate chaining, much less how to use Microsoft's certificate display dialog. > Clearly, it would have been best if a balanced assessment of the > issue and its risk had been available from the start. Never mind that FAILING TO VERIFY BASIC CONSTRAINTS is SUCH A FREAKING STUPID ERROR that it SHOULD NEVER HAVE EVER FSCKING HAPPENED IN THE FIRST GODDAMN PLACE... *ahem* Excuse me, sometimes I just get riled. Obviously "balanced assessment" has a meaning I wasn't aware of. From the context it apparently means "brought to light in a way that didn't make us look like morons." Trusted Computing at work. -- Cerebus
Powered by blists - more mailing lists