Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Vincent Archer <var () deny-all com>
Date: Thu, 17 Feb 2005 10:12:48 +0100
On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
I'm not assuming anything, I'm making an argument why it would be self-destructive for any CA to adopt such a strategy. That doesn't mean they won't do it, people certainly do stupid things when they think they can get away with it. But the fact is, CAs can't get away with it. So if they think they can, they will quickly be proven wrong.
Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to somebody who simply said he was a Microsoft employee, and they didn't do any check about the identity of the person, what happened? Nothing. Except issuing a couple of "oops" certificate revocations. I can't even find a public announce by Verisign stating they would take actions to correct their own validation procedures and avoid repetition of the incorrect (and for a public CA, inexcusable) behaviour. Everybody here hopes they fixed their procedures... but no one even knows. Obviously, CA can get away with it. They merely have to say "oops", and 4 years later, they're still in all browsers. Heck, they're still in mine: if I remove their root CA, all I get for my vigilance is lots of popups insisting that the site I'm visiting is "not trusted".
People who think that the market will inherently protect them have been reading too much Ayn Rand and need to step away from the fiction-proposed-as-fact isle. No offense meant by that - it's said tongue-in-cheek. :)Except that it does. Especially when all a company has to sell is its trust. This is true in many markets where companies have specifically set up to sell trust. You don't see people bribing the MPAA or Consumer Reports. Because such things could not possibly be hidden, and there's an immediate market remedy (stop trusting).
Probably. But the market pressure isn't there in the case of CA. Because 99% of the "users" of CAs do not even know that CA even exists. CAs are not selling the trust of users. They're selling slots in popular browsers to web sites. They're not saying "we're trusted by people", they say "we're trusted by browser makers". -- Vincent ARCHER varcher () denyall com Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com
Current thread:
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Vincent Archer (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Rainer Duffner (Feb 19)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- <Possible follow-ups>
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Bill Brown (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. lyal.collins (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Tosoni (Feb 17)