[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJzM1SuDTVCX8d1bhBCpQhH_7B2PtoJSqu3Qqoh8EJxbpC3QAg@mail.gmail.com>
Date: Fri, 9 Sep 2011 16:23:50 +0700
From: JT S <whytehorse@...il.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Western Union Certificate Error
Non-authoritative answer:
Name: wumt.westernunion.com
Address: 206.201.228.250
Non-authoritative answer:
Name: www.westernunion.com
Address: 206.201.228.250
Yeah it looks like either human error or DNS. I didn't check the IPs
at the time but perhaps they were different for www and wumt. Is there
some way to take a certificate such as this one and manually verify
it? I know the browsers automatically check the CRL and the signature
of the CA but that doesn't help when you have a CA that has been
compromised and doesn't know what certificates are out there to
revoke. For all I know, anyone who breaks into any CA which is trusted
by my browser can issue and sign a cert for any domain and the browser
will blindly accept it.
I personally would prefer that the browsers only trust keys that I
have signed, have low trust for keys signed by keys I have signed, and
no trust for the rest. I'd really like the ability to walk into
western union or my bank or local google office and sign their key as
well as the ability to revoke my signature without revoking my key.
Finally, I'd like to see DNSSEC integrated at the browser layer so
that the DNS record has a signature that matches the key I've signed.
If the ISPs can ensure their routers direct the traffic to the right
IPs from the clients, then we'd be half-way secure in knowing that the
party on the other end is who we think it is.
On Fri, Sep 9, 2011 at 12:10 PM, coderman <coderman@...il.com> wrote:
> On Thu, Sep 8, 2011 at 3:07 PM, <Valdis.Kletnieks@...edu> wrote:
>> ...
>> And look at the DNS info as seen from here:
>>
>> www.westernunion.com. 30 IN A 206.201.228.250
>> wumt.westernunion.com. 30 IN A 206.201.227.250
>>
>> Naah, no possible way to screw that up. ;)
>
> check the google cert and observ. it's been in use legitimately for
> months. (they just fucked up a deploy. attrition in the QA staff or
> just negligence? :)
>
> most mismatches of CA signed certs are due to human error of a
> failboat nature. hoof beats for horses not zebras, etc...
>
CONFIDENTIALITY NOTICE This E-Mail transmission (and/or the documents
accompanying it) is for the sole use of the intended recipient(s) and
may contain information protected by the attorney-client privilege,
the attorney-work-product doctrine or other applicable privileges or
confidentiality laws or regulations. If you are not an intended
recipient, you may not review, use, copy, disclose or distribute this
message or any of the information contained in this message to anyone.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of this message and any
attachments.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists