Full Disclosure mailing list archives

Re: HTTP AUTH BASIC monowall

From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 16 Mar 2006 14:38:15 -0500

Valdis.Kletnieks () vt edu wrote:


Been there, done that already.  There was a phishing run a while ago,
the guys even had a functional SSL cert for www.mountain-america.net (the
actual bank was mntamerica.net or something like that..)

Only real solution there is to get a good grip on what a CA is actually
certifying, which is a certain (usually very minimal) level of
*authentication*. They're certifying that somebody convinced them that the cert
was for who they claimed it was for.  That's it.  Anybody who attaches any
*other* meaning to it is making a big mistake.  In particular, "authorization"
is totally out-of-scope here....

"You are now talking to the site that one of the CAs you trust thinks belongs
to Frobozz, Inc.".

If you don't trust that CA's judgment, you better heave their root cert overboard...

And even then, as your example points out, it's possible for the CA tohave "good judgment" and still not issue a certificate that is labelledto who you or I might think it is. Company naming is in the venue oftrademark law... it's not up to the CAs to choose names for companies...I could start a company called "Microsoft Software LLC" and as long as Iwasn't lying through my teeth the CA would be within their rights toissue the cert... the trick is that I'd probably not win a trademarkbattle in the courts and that during the lagtime in between, I'dprobably be able to dupe quite a few people if I were so inclined (andI'm not).

All verifying a cert proves is that the computer on the other end hasthe matching cert and that the certificate authorities say that the certis still valid. That's it. Nothing else.

Frankly, the whole "web of trust" is a flawed idea. "Because A trustsB, and B trusts C, then A can (must?) trust C" is, excuse the lack ofcivility, utter bullshit.I trust my friends, it doesn't mean that I trust their friends. In thiscase, it's even more flawed because we're not talking about trusting afriend of a friend... we're talking about trusting people that ourfriends have met on the street... and that's it.

There's no better replacement for it at this moment, but the assumptionsmade in it are flawed beyond their targetted application.


         -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
  - Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 16)
    - Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 17)
    - Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
  - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
    - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)

(Thread continues...)