lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Mar 16 20:47:52 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: HTTP AUTH BASIC monowall

Valdis.Kletnieks@...edu wrote:

>
>Been there, done that already.  There was a phishing run a while ago,
>the guys even had a functional SSL cert for www.mountain-america.net (the
>actual bank was mntamerica.net or something like that..)
>
>Only real solution there is to get a good grip on what a CA is actually
>certifying, which is a certain (usually very minimal) level of
>*authentication*. They're certifying that somebody convinced them that the cert
>was for who they claimed it was for.  That's it.  Anybody who attaches any
>*other* meaning to it is making a big mistake.  In particular, "authorization"
>is totally out-of-scope here....
>
>"You are now talking to the site that one of the CAs you trust thinks belongs
>to Frobozz, Inc.".
>
>If you don't trust that CA's judgment, you better heave their root cert overboard...
>
>  
>
And even then, as your example points out, it's possible for the CA to 
have "good judgment" and still not issue a certificate that is labelled 
to who you or I might think it is.  Company naming is in the venue of 
trademark law... it's not up to the CAs to choose names for companies... 
I could start a company called "Microsoft Software LLC" and as long as I 
wasn't lying through my teeth the CA would be within their rights to 
issue the cert... the trick is that I'd probably not win a trademark 
battle in the courts and that during the lagtime in between, I'd 
probably be able to dupe quite a few people if I were so inclined (and 
I'm not).

All verifying a cert proves is that the computer on the other end has 
the matching cert and that the certificate authorities say that the cert 
is still valid.  That's it.  Nothing else.

Frankly, the whole "web of trust" is a flawed idea.  "Because A trusts 
B, and B trusts C, then A can (must?) trust C" is, excuse the lack of 
civility, utter bullshit. 

I trust my friends, it doesn't mean that I trust their friends.  In this 
case, it's even more flawed because we're not talking about trusting a 
friend of a friend... we're talking about trusting people that our 
friends have met on the street... and that's it.

There's no better replacement for it at this moment, but the assumptions 
made in it are flawed beyond their targetted application.

          -bkfsec

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ