| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200305121733.h4CHXwJ5009201@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: MSN Webcam / Chat Spoof On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith" <rms@...puterbytesman.com> said: > My question: Why can't an Authenticode certificate present the > following information to a user: > > - Company name > - Street address > - Phone number > - Web site URL > - Contact Email address > - Company logo > - Link to a product description page OK.. .So you get a cert - now other than "phone number", is there anything there that *really* increases your confidence level (given that you have 2 http:// and a mailto: URL, and they could all point at a hijacked server)? Remember that there has already been one well-publicized case of Verisign issuing a bogus Microsoft cert - there's no proof they haven't made the same social-engineering whoops on possibly *dozens* of lesser-known software houses. And after the dot-bombed era, there's probably a *lot* of places that had certs and went belly up - and said certs went out the door when the servers they were on got surplused. I'm sure snooping around the right hacker IRC channels will find you a pointer to a black-market cert that you can have a copy of.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030512/4702452c/attachment.bin
Powered by blists - more mailing lists