Full Disclosure mailing list archives
Anyone buy this?
From: full-disclosure () lists netsys com (Timothy J.Miller)
Date: Wed, 14 Aug 2002 23:40:36 -0500
On Wednesday, August 14, 2002, at 06:54 PM, Fenris The Wolf wrote:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ news/IARWSV.asp
I will say I'm not surprised. What else should be expected?
The identity of the attacker could easily be determined. To exploit the vulnerability, the attacker would require a valid SSL digital certificate, issued by a trusted Certificate Authority. However, most commercial Certificate Authorities require substantial proof of identity before issuing such a certificate,
Yeah, just like Verisign confirmed the spoofer who got new signing certs issued to him in Microsoft's name.
The user would always have the ability to determine the truth.
While this is certainly technically true, it's not *practically* true. The average user knows fsck-all about X.509 and certificate chaining, much less how to use Microsoft's certificate display dialog.
Clearly, it would have been best if a balanced assessment of the issue and its risk had been available from the start.
Never mind that FAILING TO VERIFY BASIC CONSTRAINTS is SUCH A FREAKING STUPID ERROR that it SHOULD NEVER HAVE EVER FSCKING HAPPENED IN THE FIRST GODDAMN PLACE... *ahem* Excuse me, sometimes I just get riled. Obviously "balanced assessment" has a meaning I wasn't aware of. From the context it apparently means "brought to light in a way that didn't make us look like morons." Trusted Computing at work. -- Cerebus
Current thread:
- Anyone buy this? Fenris The Wolf (Aug 14)
- Anyone buy this? Anthony LaMantia (Aug 13)
- Anyone buy this? Timothy J.Miller (Aug 14)