lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJzM1SuDTVCX8d1bhBCpQhH_7B2PtoJSqu3Qqoh8EJxbpC3QAg@mail.gmail.com>
Date: Fri, 9 Sep 2011 16:23:50 +0700
From: JT S <whytehorse@...il.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Western Union Certificate Error

Non-authoritative answer:
Name:	wumt.westernunion.com
Address: 206.201.228.250
Non-authoritative answer:
Name:	www.westernunion.com
Address: 206.201.228.250

Yeah it looks like either human error or DNS. I didn't check the IPs
at the time but perhaps they were different for www and wumt. Is there
some way to take a certificate such as this one and manually verify
it? I know the browsers automatically check the CRL and the signature
of the CA but that doesn't help when you have a CA that has been
compromised and doesn't know what certificates are out there to
revoke. For all I know, anyone who breaks into any CA which is trusted
by my browser can issue and sign a cert for any domain and the browser
will blindly accept it.

I personally would prefer that the browsers only trust keys that I
have signed, have low trust for keys signed by keys I have signed, and
no trust for the rest. I'd really like the ability to walk into
western union or my bank or local google office and sign their key as
well as the ability to revoke my signature without revoking my key.
Finally, I'd like to see DNSSEC integrated at the browser layer so
that the DNS record has a signature that matches the key I've signed.
If the ISPs can ensure their routers direct the traffic to the right
IPs from the clients, then we'd be half-way secure in knowing that the
party on the other end is who we think it is.
On Fri, Sep 9, 2011 at 12:10 PM, coderman <coderman@...il.com> wrote:
> On Thu, Sep 8, 2011 at 3:07 PM,  <Valdis.Kletnieks@...edu> wrote:
>> ...
>> And look at the DNS info as seen from here:
>>
>> www.westernunion.com.   30      IN      A       206.201.228.250
>> wumt.westernunion.com.  30      IN      A       206.201.227.250
>>
>> Naah, no possible way to screw that up. ;)
>
> check the google cert and observ. it's been in use legitimately for
> months. (they just fucked up a deploy. attrition in the QA staff or
> just negligence? :)
>
> most mismatches of CA signed certs are due to human error of a
> failboat nature.  hoof beats for horses not zebras, etc...
>

CONFIDENTIALITY NOTICE This E-Mail transmission (and/or the documents
accompanying it) is for the sole use of the intended recipient(s) and
may contain information protected by the attorney-client privilege,
the attorney-work-product doctrine or other applicable privileges or
confidentiality laws or regulations. If you are not an intended
recipient, you may not review, use, copy, disclose or distribute this
message or any of the information contained in this message to anyone.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of this message and any
attachments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ