lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Mar 17 14:28:09 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall

Bkfsec,
    Damn well put man! I am glad to see that I'm not the only one who
feels weary about this.

bkfsec wrote:
> Valdis.Kletnieks@...edu wrote:
>
>>
>> Been there, done that already.  There was a phishing run a while ago,
>> the guys even had a functional SSL cert for www.mountain-america.net
>> (the
>> actual bank was mntamerica.net or something like that..)
>>
>> Only real solution there is to get a good grip on what a CA is actually
>> certifying, which is a certain (usually very minimal) level of
>> *authentication*. They're certifying that somebody convinced them
>> that the cert
>> was for who they claimed it was for.  That's it.  Anybody who
>> attaches any
>> *other* meaning to it is making a big mistake.  In particular,
>> "authorization"
>> is totally out-of-scope here....
>>
>> "You are now talking to the site that one of the CAs you trust thinks
>> belongs
>> to Frobozz, Inc.".
>>
>> If you don't trust that CA's judgment, you better heave their root
>> cert overboard...
>>
>>  
>>
> And even then, as your example points out, it's possible for the CA to
> have "good judgment" and still not issue a certificate that is
> labelled to who you or I might think it is.  Company naming is in the
> venue of trademark law... it's not up to the CAs to choose names for
> companies... I could start a company called "Microsoft Software LLC"
> and as long as I wasn't lying through my teeth the CA would be within
> their rights to issue the cert... the trick is that I'd probably not
> win a trademark battle in the courts and that during the lagtime in
> between, I'd probably be able to dupe quite a few people if I were so
> inclined (and I'm not).
>
> All verifying a cert proves is that the computer on the other end has
> the matching cert and that the certificate authorities say that the
> cert is still valid.  That's it.  Nothing else.
>
> Frankly, the whole "web of trust" is a flawed idea.  "Because A trusts
> B, and B trusts C, then A can (must?) trust C" is, excuse the lack of
> civility, utter bullshit.
> I trust my friends, it doesn't mean that I trust their friends.  In
> this case, it's even more flawed because we're not talking about
> trusting a friend of a friend... we're talking about trusting people
> that our friends have met on the street... and that's it.
>
> There's no better replacement for it at this moment, but the
> assumptions made in it are flawed beyond their targetted application.
>
>          -bkfsec
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Regards, 
	Jackass

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ