Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Scott Gifford <sgifford () suspectclass com>
Date: Fri, 11 Feb 2005 14:07:26 -0500
"Peter J. Holzer" <hjp () wsr ac at> writes: [...]
The best way I can think of is to make it easy for the user to check information about the Domain. For example, the certificate for www.pаypal.com is for CN = www.xn--pypal-4ve.com OU = Domain Control Validated - StarterSSL(TM) OU = See www.freessl.com/cps (c)04 OU = https://services.choicepoint.net/get.jsp?GT57083512 O = www.xn--pypal-4ve.com C = US
Maybe I'm naive, but shouldn't a trustworthy root CA not sign certificates for domain names which are obviously meant to be deceptive? Isn't this the entire reason for browsers coming with a small list of CAs which are deemed trustworthy? If the holders of widely-trusted root certificates can't be trusted to avoid even the most rudimentary deceptions, many of the protections of SSL have only very limited value. Perhaps some more care on the part of browser packagers in deciding which CAs have their certificates included by default is the solution. ----ScottG.
Current thread:
- International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Brandon Kovacs (Feb 07)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Simon Østengaard (Feb 09)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Will Kamishlian (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 11)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Neil W Rickert (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Ron DuFresne (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Seth Breidbart (Feb 16)