[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <441AC766.9040801@snosoft.com>
Date: Fri Mar 17 14:28:09 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall
Bkfsec,
Damn well put man! I am glad to see that I'm not the only one who
feels weary about this.
bkfsec wrote:
> Valdis.Kletnieks@...edu wrote:
>
>>
>> Been there, done that already. There was a phishing run a while ago,
>> the guys even had a functional SSL cert for www.mountain-america.net
>> (the
>> actual bank was mntamerica.net or something like that..)
>>
>> Only real solution there is to get a good grip on what a CA is actually
>> certifying, which is a certain (usually very minimal) level of
>> *authentication*. They're certifying that somebody convinced them
>> that the cert
>> was for who they claimed it was for. That's it. Anybody who
>> attaches any
>> *other* meaning to it is making a big mistake. In particular,
>> "authorization"
>> is totally out-of-scope here....
>>
>> "You are now talking to the site that one of the CAs you trust thinks
>> belongs
>> to Frobozz, Inc.".
>>
>> If you don't trust that CA's judgment, you better heave their root
>> cert overboard...
>>
>>
>>
> And even then, as your example points out, it's possible for the CA to
> have "good judgment" and still not issue a certificate that is
> labelled to who you or I might think it is. Company naming is in the
> venue of trademark law... it's not up to the CAs to choose names for
> companies... I could start a company called "Microsoft Software LLC"
> and as long as I wasn't lying through my teeth the CA would be within
> their rights to issue the cert... the trick is that I'd probably not
> win a trademark battle in the courts and that during the lagtime in
> between, I'd probably be able to dupe quite a few people if I were so
> inclined (and I'm not).
>
> All verifying a cert proves is that the computer on the other end has
> the matching cert and that the certificate authorities say that the
> cert is still valid. That's it. Nothing else.
>
> Frankly, the whole "web of trust" is a flawed idea. "Because A trusts
> B, and B trusts C, then A can (must?) trust C" is, excuse the lack of
> civility, utter bullshit.
> I trust my friends, it doesn't mean that I trust their friends. In
> this case, it's even more flawed because we're not talking about
> trusting a friend of a friend... we're talking about trusting people
> that our friends have met on the street... and that's it.
>
> There's no better replacement for it at this moment, but the
> assumptions made in it are flawed beyond their targetted application.
>
> -bkfsec
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
Regards,
Jackass
Powered by blists - more mailing lists