Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 16 Mar 2006 14:38:15 -0500
Valdis.Kletnieks () vt edu wrote:
And even then, as your example points out, it's possible for the CA to have "good judgment" and still not issue a certificate that is labelled to who you or I might think it is. Company naming is in the venue of trademark law... it's not up to the CAs to choose names for companies... I could start a company called "Microsoft Software LLC" and as long as I wasn't lying through my teeth the CA would be within their rights to issue the cert... the trick is that I'd probably not win a trademark battle in the courts and that during the lagtime in between, I'd probably be able to dupe quite a few people if I were so inclined (and I'm not).Been there, done that already. There was a phishing run a while ago, the guys even had a functional SSL cert for www.mountain-america.net (the actual bank was mntamerica.net or something like that..) Only real solution there is to get a good grip on what a CA is actually certifying, which is a certain (usually very minimal) level of *authentication*. They're certifying that somebody convinced them that the cert was for who they claimed it was for. That's it. Anybody who attaches any *other* meaning to it is making a big mistake. In particular, "authorization" is totally out-of-scope here.... "You are now talking to the site that one of the CAs you trust thinks belongs to Frobozz, Inc.". If you don't trust that CA's judgment, you better heave their root cert overboard...
All verifying a cert proves is that the computer on the other end has the matching cert and that the certificate authorities say that the cert is still valid. That's it. Nothing else.
Frankly, the whole "web of trust" is a flawed idea. "Because A trusts B, and B trusts C, then A can (must?) trust C" is, excuse the lack of civility, utter bullshit. I trust my friends, it doesn't mean that I trust their friends. In this case, it's even more flawed because we're not talking about trusting a friend of a friend... we're talking about trusting people that our friends have met on the street... and that's it.
There's no better replacement for it at this moment, but the assumptions made in it are flawed beyond their targetted application.
-bkfsec _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)