lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <008801c318b4$e85d14a0$6401a8c0@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: MSN Webcam / Chat Spoof 

Having a more complete cert would raise the bar for social engineering
attacks like the one being done at the fake MSN Web site.  Right now,
the ActiveX control gives the impression that it is coming from
Microsoft.  

Another fix for this kind of problem is that Internet Explorer checks
with the issuing agency to see if a cert has been revoked before the
ActiveX control is allowed to be installed.

Richard

-----Original Message-----
From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu] 
Sent: Monday, May 12, 2003 1:34 PM
To: Richard M. Smith
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] MSN Webcam / Chat Spoof 


On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith"
<rms@...puterbytesman.com>  said:

> My question:  Why can't an Authenticode certificate present the
> following information to a user:
>
>    - Company name
>    - Street address
>    - Phone number
>    - Web site URL
>    - Contact Email address
>    - Company logo
>    - Link to a product description page

OK.. .So you get a cert - now other than "phone number", is there
anything
there that *really* increases your confidence level (given that you have
2 http:// and a mailto: URL, and they could all point at a hijacked
server)?

Remember that there has already been one well-publicized case of
Verisign
issuing a bogus Microsoft cert - there's no proof they haven't made the
same social-engineering whoops on possibly *dozens* of lesser-known
software
houses.

And after the dot-bombed era, there's probably a *lot* of places that
had
certs and went belly up - and said certs went out the door when the
servers
they were on got surplused.  I'm sure snooping around the right hacker
IRC channels will find you a pointer to a black-market cert that you can
have
a copy of....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ