lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <242a0a8f0603161210g1fb9c78ar35d514083a0421f2@mail.gmail.com>
Date: Fri Mar 17 15:39:43 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: HTTP AUTH BASIC monowall

On 3/16/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Wed, 15 Mar 2006 15:14:47 EST, Brian Eaton said:
> > tim-security at sentinelchicken.org wrote:
>
> > How trustworthy are the CA certificates included in the average browser?
> >
> > There are a couple of dozen CA certificates shipped with my browser.
> > Some of the vendors associated with these CA certificates offer to
> > give me a certificate for my web site in 10 minutes or less for a
> > couple of hundred dollars.
> >
> > This sounds like a really ripe opportunity for social engineering to me.
>
> Been there, done that already.  There was a phishing run a while ago,
> the guys even had a functional SSL cert for www.mountain-america.net (the
> actual bank was mntamerica.net or something like that..)
>
> Only real solution there is to get a good grip on what a CA is actually
> certifying, which is a certain (usually very minimal) level of
> *authentication*. They're certifying that somebody convinced them that the cert
> was for who they claimed it was for.  That's it.  Anybody who attaches any
> *other* meaning to it is making a big mistake.  In particular, "authorization"
> is totally out-of-scope here....
>
> "You are now talking to the site that one of the CAs you trust thinks belongs
> to Frobozz, Inc.".
>
> If you don't trust that CA's judgment, you better heave their root cert overboard...
>

Brian Krebs from the Washington Post wrote a column about the Mountain
America scam, and he even got somebody from Geotrust to comment on
what went wrong.

The column is here:
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

Here's the section of the article that has Geotrust's response:
<----snip---->
Joan Lockhart, the company's vice president of marketing, said the
site was registered on Sunday and the cert was issued early this
morning. Lockhart said Geotrust has a rigorous process in place to
check for phishy certificate requests that relies on algorithms which
check cert requests for certain words, misspellings or phrases that
may indicate a phisher is involved. In this case, she said, the
technology did not flag the request because there was nothing in the
Internet address to indicate the site was at all related to a
financial institution.

Geotrust's cert verification process is largely automated: when
someone requests a cert for a particular site, the company sends an
e-mail to the address included in the Web site's registrar records,
along with a special code that the recipient needs to phone in to
complete the process.

Lockhart said she doubted that inserting a human into that process
would have flagged the account as suspicious.

"I would argue that probably anyone who is processing
mountain-america.net would not have raised flags," she said.
<----snip---->

My read of that statement is that Geotrust sees nothing wrong with
their verification process and is not going to take any action to
prevent this from happening again.

The incentives for the CAs are in all the wrong places.  They suffer
no financial harm when they certify a false identity.  Instead, they
make a quick buck.

- Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ