Bugtraq mailing list archives

RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

From: Tosoni <jean-pierre.tosoni () libertysurf fr>
Date: Thu, 17 Feb 2005 10:20:22 +-100

Well, comparison with the NIC handle may be helpful... Here is my experiment about it:

I know of a guy who can be considered as a modern "average" user of NIC handles (since the overdevelopment of domains).

This guy keeps creating a new NIC handle for him each time he creates a domain for his company. And he creates many. So:

1) an average user does not understand NIC handles more than he understands CA. You (in your example) an I are not 
average users I believe.

2) Sounds like 90% of the NIC handles are unused/unneeded altogether. So maybe there is still 561 real NIC handle users 
on the place...

Back to the original problem, shouldn't the browser check that the domain name sought by the user, is only composed 
from existing keys on the user's keyboard, and alert the user otherwise ?
 

Regards
JPT

----------
De :    Thor (Hammer of God)[SMTP:thor () hammerofgod com]
<snip>


I know quite a number of average users and know of absolutely 0 who would
be aware of this.


The number of people that you know (or who I know) that are aware of the 
uses for client
certificates is not what drives commercial certificate authority business
models.   The simple fact of the matter is that user-level certificates are 
an important part of the commercial certificate authority plan, and becoming 
more and more so as your "average" users become aware of certificate 
applications.

When I got my NIC handle untold years ago, only 561 other humans had one. 
Your logic would preclude getting one in the first place, since no one knew 
they existed at the time.  When SSL certs were first being created 
commercially, how many server operators did you know that had one?  How many 
do you know now?  It's the same thing with client certs, and the logic 
stands that certificate applications apply to them as well; particularly in 
regard to the business and marketing models various certificate authorities 
are running their business by.  That was the point.

Current thread:

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs., (continued)
- - - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Vincent Archer (Feb 17)
    - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Rainer Duffner (Feb 19)
    - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
    - RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
    - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
  - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 17)
    - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Nick FitzGerald (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Bill Brown (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. lyal.collins (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Tosoni (Feb 17)
  - Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Riccardo Murri (Feb 19)