lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <242a0a8f0603161348s7625bfcav4c5b9a685f7caf9@mail.gmail.com>
Date: Thu Mar 16 21:48:53 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: HTTP AUTH BASIC monowall

On 3/16/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said:
>
> > My read of that statement is that Geotrust sees nothing wrong with
> > their verification process and is not going to take any action to
> > prevent this from happening again.
> >
> > The incentives for the CAs are in all the wrong places.  They suffer
> > no financial harm when they certify a false identity.  Instead, they
> > make a quick buck.
>
> It's more subtle than that.
>
> Geotrust didn't do *anything* wrong.  They issued a cert for www.mountain-america.net
> to the rightful owners of www.mountain-america.net.  There's no reason to raise
> a flag here, as nothing nefarious has happened.  They're not up for a financial hit
> for certifying a false identity, because they certified the real identity
> correctly, as per their procedures.
>
> There's little to nothing that Geotrust can do about the fact that after they
> properly certified mountain-america.net, it turned around and pretended to be
> mntamerica.net.

Your point is definitely valid, Geotrust did what they said they would
do.  I'd like to see their process changed so that it included a more
serious check into the business whose web site they are verifying.  A
good goal would be for a CA to be able to establish an identity well
enough that after six months they could find the entity to whom they
issued the certificate.  Then an SSL certificate would imply some
degree of accountability.

Something simple from a technical perspective would be for CAs to have
a 90 day waiting period before issuing an SSL certificate.  If the
cert was purchased with a stolen credit card, that gives plenty of
time for the fraud to come to light.  That's obviously not a 100%
solution,  but it would raise the bar a bit.  A waiting period might
not be reasonable from a business perspective.  I wonder what
percentage of CA revenue comes from mom and pop internet store fronts
that aren't willing to wait that 90 days?

I started digging around on Geotrust's web site looking for their
policy on issuing certificates and stumbled across a FAQ on
high-assurance SSL certificates.  This sounds like a step in the right
direction.

http://www.geotrust.com/products/ssl_certificates/hassl_faq.asp

- Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ