Full Disclosure mailing list archives
RE: MSN Webcam / Chat Spoof
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 12 May 2003 14:32:56 -0400
Having a more complete cert would raise the bar for social engineering attacks like the one being done at the fake MSN Web site. Right now, the ActiveX control gives the impression that it is coming from Microsoft. Another fix for this kind of problem is that Internet Explorer checks with the issuing agency to see if a cert has been revoked before the ActiveX control is allowed to be installed. Richard -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Monday, May 12, 2003 1:34 PM To: Richard M. Smith Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] MSN Webcam / Chat Spoof On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith" <rms () computerbytesman com> said:
My question: Why can't an Authenticode certificate present the following information to a user: - Company name - Street address - Phone number - Web site URL - Contact Email address - Company logo - Link to a product description page
OK.. .So you get a cert - now other than "phone number", is there anything there that *really* increases your confidence level (given that you have 2 http:// and a mailto: URL, and they could all point at a hijacked server)? Remember that there has already been one well-publicized case of Verisign issuing a bogus Microsoft cert - there's no proof they haven't made the same social-engineering whoops on possibly *dozens* of lesser-known software houses. And after the dot-bombed era, there's probably a *lot* of places that had certs and went belly up - and said certs went out the door when the servers they were on got surplused. I'm sure snooping around the right hacker IRC channels will find you a pointer to a black-market cert that you can have a copy of.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSN Webcam / Chat Spoof morning_wood (May 11)
- RE: MSN Webcam / Chat Spoof Richard M. Smith (May 11)
- <Possible follow-ups>
- RE: MSN Webcam / Chat Spoof Daniel Dočekal (May 11)
- RE: MSN Webcam / Chat Spoof Richard M. Smith (May 12)
- RE: MSN Webcam / Chat Spoof Daniel Dočekal (May 12)
- RE: MSN Webcam / Chat Spoof Richard M. Smith (May 12)
- Re: MSN Webcam / Chat Spoof Valdis . Kletnieks (May 12)
- RE: MSN Webcam / Chat Spoof Richard M. Smith (May 12)
- RE: MSN Webcam / Chat Spoof Richard M. Smith (May 12)
- Re: MSN Webcam / Chat Spoof Steve Poirot (May 13)
- Re: MSN Webcam / Chat Spoof yossarian (May 13)