Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 17 Feb 2005 01:21:22 -0600 (CST)
On Wed, 16 Feb 2005, Gwendolynn ferch Elydyr wrote:
On Wed, 16 Feb 2005, bkfsec wrote:The local BBB is accountable to local laws. CAs are spread throughout the world and are global in nature. As a member of a local community, I can choose to familiarize myself with those regulations, understand them, and use them against the BBB if they violate their trust. I can also choose to go on a crusade against the local BBB. I think that deep down we're agreeing on the point that they're inherently untrustworthy. My point in saying "if you take my meaning" was to hi-light that rather than focus on this relatively minor nitpicking of point. I'm not the first one in this thread to bring up the BBB. So take your point up with the person who did bring it up, please.Actually I'm just trying to be explicitly clear about the path that you're using for trust. The BBB just happens to be the example that you'd used as an organization that you'd trust more than your average CA. As I'm reading you, you're saying that you: (1) trust establishments that you can see and touch more than you trust establishments that you can't see or touch. (2) trust establishments that are bound by a legal system that you're familiar with more than establishments that are bound by a legal system that you aren't familiar with. IMHO the question is more about what your particular grounds for trust happen to be than whether CAs are all/partially/not trustworthy - or if the BBB in your area happens to be trustworthy. Personally I'd really debate the concept that physical proximity is in any respect grounds for trust - and that familiarity implies the same. I'd be far more inclined to suggest using consistent long term behaviour as a predictor - and implementing a system where significant incentives towards desired behaviour exist.
But do not "physical proximity" and "familiarity" not also imply that a lengthy relationship is probable which would enable behavioural observations of said length to determine it's consistency? Somewhat like the concept that a person gets better service from a smaller mom&pop shop then they do in a superstore? Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs., (continued)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 11)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Neil W Rickert (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Ron DuFresne (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Seth Breidbart (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. George Capehart (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 14)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Vincent Archer (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Stefan Paletta (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Sebastian (Feb 15)