Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Thu, 16 Mar 2006 16:48:40 -0500
On 3/16/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said:My read of that statement is that Geotrust sees nothing wrong with their verification process and is not going to take any action to prevent this from happening again. The incentives for the CAs are in all the wrong places. They suffer no financial harm when they certify a false identity. Instead, they make a quick buck.It's more subtle than that. Geotrust didn't do *anything* wrong. They issued a cert for www.mountain-america.net to the rightful owners of www.mountain-america.net. There's no reason to raise a flag here, as nothing nefarious has happened. They're not up for a financial hit for certifying a false identity, because they certified the real identity correctly, as per their procedures. There's little to nothing that Geotrust can do about the fact that after they properly certified mountain-america.net, it turned around and pretended to be mntamerica.net.
Your point is definitely valid, Geotrust did what they said they would do. I'd like to see their process changed so that it included a more serious check into the business whose web site they are verifying. A good goal would be for a CA to be able to establish an identity well enough that after six months they could find the entity to whom they issued the certificate. Then an SSL certificate would imply some degree of accountability. Something simple from a technical perspective would be for CAs to have a 90 day waiting period before issuing an SSL certificate. If the cert was purchased with a stolen credit card, that gives plenty of time for the fraud to come to light. That's obviously not a 100% solution, but it would raise the bar a bit. A waiting period might not be reasonable from a business perspective. I wonder what percentage of CA revenue comes from mom and pop internet store fronts that aren't willing to wait that 90 days? I started digging around on Geotrust's web site looking for their policy on issuing certificates and stumbled across a FAQ on high-assurance SSL certificates. This sounds like a step in the right direction. http://www.geotrust.com/products/ssl_certificates/hassl_faq.asp - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)