Bugtraq mailing list archives
RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 17 Feb 2005 14:14:49 +1300
David Schwartz wrote:
My proposition is that the argument that they (and their associated webs of trust) are inherently trustworthy because of external pressures is a flawed assumption because they do not have the proposed level of pressure applied to them since most of the people affected by their web of trust don't understand it.They don't have to. I don't understand how my supermarket gets their meat, but I trust them to use safe sources because I know that if they didn't those who do understand would tell me, and then I'd figure out a way to avoid it.
That is not why you trust your supermarket to source good/safe meat at all. You trust your supermarket to source good/safe meat because you live somewhere that has strongly enforced regulations, with very stiff financial penalties, covering the slaughtering of animals, preparation of their carcasses into meat products, and every step of the storage, shipping, handling, display and sale of such products. And, in fact, very similar reasons are why you trust so many other conveniences that comprise "the modern Western way of life". Further, these systems are so ingrained and work so well, most people (such as yourself?) have forgotten that the checks and balances even exist, taking for granted "safe meat from the supermarket" and so on. The previous poster, to whom you responded is essentially correct. The difference between CAs and the webs of trust surrounding them and the whole CA/certification process do not have the checks and balances governing them that they are assumed to have. This is equally true of most other trust issues with computers, such as the most basic ones as the assumption on the part of consumers that the OS and standard applications for the typical tasks to which computers will be put are designed to competently and safely perform those tasks while protecting the users from what should, to the technically competent and informed folk it is assumed design, write and test such software, be "obvious dangers".
No CA wants to find out what market forces will appear as soon as they prove to be untrustworthy. There are already many vehicles for immediately deploying blacklists. For example, Symantec could release an update for any of their security products that removed a root CA. It wouldn't take more than a small percent of web users to have a problem with a CA before people wouldn't want their certificates to be signed by that CA. The CA market is competitive.
So, why is VeriSign still in the CA business? Or should releasing two code-signing certificates in Microsoft's name to non-MS related folk not be considered untrustworthy enough to utterly destroy any rational person's or organization's trust in a CA? Regards, Nick FitzGerald
Current thread:
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- <Possible follow-ups>
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Bill Brown (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. lyal.collins (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Tosoni (Feb 17)