Re: BIND bugs of the month (spoofing secure Web sites?)

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

I am killing the SSL / DNS thread. I am summarizing the responses. If you would
like to continue the discussion I suggest the SSL-TALK mailing list.

As Dan explained such an attack is indeed possible, but as many others pointed
out the attack in it of itself is not against SSL but against the user. It all
comes down to how do you  known that First National Bank's domain name is
firstnational.com and not first.national.com or fbank.com. It may well be that
to bank has multiple domain names. Identity binding to domain names or keys
is not an easy to solve issue, nor is it a purely technical one.

Many people pointed out that certificates are binded to domain names, ergo if
you know the domain name you are trying to connect to the certificate cannot
be spoofed.

It was also pointed out that to obtain a certificate from the top CA's there is
a long list of requirements such as showing proof for incorporation. This is
actually not as difficult as some of you may think. Residents of Nevada can
attest at how easy it is to incorporate.

It was also pointed out that you can create your own self-signed certificates
and that most browsers will ask the user whether to accept add the new
certificate to their configuration. Most users will of curse simply click in
all the OK buttons they see.

It was suggested that web sites should be advertising their SSL certificate
fingerprints (much in the same way as you should advertise your PGP
fingerprints) and that users should learn to verify the fingerprint when
visiting a web site. Of curse the chances of a large portion of the
population learning this are small.

--
Elias Levy
Security Focus
http://www.securityfocus.com/