lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Mar 17 20:10:49 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: HTTP AUTH BASIC monowall

Jason Coombs wrote:
>> Brian Eaton wrote:
>>> I'd like to see their process
>>> changed so that it included a more
>>> serious check into the business
>>> whose web site they are verifying.
>>
>> This makes no sense at all, and is simply impossible within the DNS
>> system. Furthermore, all verification done by any CA can be easily
>> fooled.

  That may be the case in practice, but it's surely not an absolute 
theoretical limitation?  I would have thought it should be perfectly 
/possible/ to set up a CA that really did do a good job; that wouldn't issue 
a certificate except in person, that insists on sending one of the CA's 
staff round to the subscriber's business premises to meet them personally, 
look at the buildings, look at whether it's an established business with a 
history of trading, ask to see customer testimonials, etc. etc.

  It might still be possible to fool them but it would suddenly require you 
to hire a bunch of actors, rent business premises, forge dozens of copies of 
old newspapers to look like you've been in existence and advertising for 
some years.... it's suddenly a /much/ steeper barrier than some stupid 
automated system that some stupid skiddie can email from some stupid open 
proxy.

  And of course that's the real reason why CA verification can be defeated: 
not because there's some technical, logical, social or moral impossibility 
about it; merely because automation is cheap and the corporations that 
perform it are cheapskates who care only about the bottom line and don't 
mind providing a shit service that fails to fulfill its requirements.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ