Bugtraq mailing list archives
Re: New whitepaper "The Phishing Guide"
From: Juraj Bednar <juraj () bednar sk>
Date: Mon, 27 Sep 2004 16:50:31 +0200
Hello,
How does that help in practice? A user fooled by a link to ebay-support.com is just as likely to accept signed mail from foo () ebay-support com. Not to mention that the potential profits from phishing could easily finance the purchase of a forged cert if someone at one of the built-in CA's was corruptible. Given the several that are based in 3rd world companies (not to mention recent US corporate scandals) I have no confidence that won't eventually happen.
it is quite possible, I had success of convincing U.S. CAs of issuing me a certificate, while they shouldn't. I once wrote an article about it to 2600. Seems like most CAs are more capable of selling certificates than providing real security checks, which are usually done by using that same insecure channels, that they are trying to protect. For example: - a fax of business license (which for example in our country can be get by anyone) - e-mail to one of the administrative contacts from whois database (which can be -- if not protected -- changed by sending simple e-mail, if your registrar uses RIPE). - creating a file on the target webserver (which in turn is capable of all those attacks, that SSL is trying to protect). So basically, "hacking" CA is just paperwork, e-mail and browserwork. You can read the article here: http://files.juraj.bednar.sk/CA (I'm not sure, if it's the latest version, that got published, so please forbid any small mistakes, but you will get the point, hopefully). I believe there are CAs, that are more secure even for e-mail. Here in Slovakia, we have even law about electronic signatures, and you have to go physically to CA, show your ID, passport and after you convince them, you are the right person, they issue you a certificate (which is equal to signature on paper). One particular issue is, that they guarantee also your identity (not only the ability to read particular e-mail, which often is checked by so-called CAs by sending e-mail to the target address and user has to check the link, which does not guarantee anything, but the ability to read the particular e-mail -- which we want to protect from unauthorized users, right?). Juraj.
Current thread:
- New whitepaper "The Phishing Guide" Gunter Ollmann (NGS) (Sep 22)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 27)
- Re: New whitepaper "The Phishing Guide" Greg A. Woods (Sep 27)
- Re: New whitepaper "The Phishing Guide" Crispin Cowan (Sep 28)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Daniel Veditz (Sep 26)
- Re: New whitepaper "The Phishing Guide" Chip Andrews (Sep 27)
- Re: New whitepaper "The Phishing Guide" Philip Stoev (Sep 29)
- Re: New whitepaper "The Phishing Guide" Juraj Bednar (Sep 28)
- Re: New whitepaper "The Phishing Guide" Brian Dessent (Sep 28)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re[2]: New whitepaper "The Phishing Guide" Karsten Heidrich (Sep 28)
- <Possible follow-ups>
- RE: New whitepaper "The Phishing Guide" Dehner, Benjamin T. (Sep 25)