Full Disclosure mailing list archives

Re: HTTP AUTH BASIC monowall

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Thu, 16 Mar 2006 16:48:40 -0500

On 3/16/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:

On Thu, 16 Mar 2006 15:10:50 EST, Brian Eaton said:

My read of that statement is that Geotrust sees nothing wrong with
their verification process and is not going to take any action to
prevent this from happening again.

The incentives for the CAs are in all the wrong places.  They suffer
no financial harm when they certify a false identity.  Instead, they
make a quick buck.


It's more subtle than that.

Geotrust didn't do *anything* wrong.  They issued a cert for www.mountain-america.net
to the rightful owners of www.mountain-america.net.  There's no reason to raise
a flag here, as nothing nefarious has happened.  They're not up for a financial hit
for certifying a false identity, because they certified the real identity
correctly, as per their procedures.

There's little to nothing that Geotrust can do about the fact that after they
properly certified mountain-america.net, it turned around and pretended to be
mntamerica.net.


Your point is definitely valid, Geotrust did what they said they would
do.  I'd like to see their process changed so that it included a more
serious check into the business whose web site they are verifying.  A
good goal would be for a CA to be able to establish an identity well
enough that after six months they could find the entity to whom they
issued the certificate.  Then an SSL certificate would imply some
degree of accountability.

Something simple from a technical perspective would be for CAs to have
a 90 day waiting period before issuing an SSL certificate.  If the
cert was purchased with a stolen credit card, that gives plenty of
time for the fraud to come to light.  That's obviously not a 100%
solution,  but it would raise the bar a bit.  A waiting period might
not be reasonable from a business perspective.  I wonder what
percentage of CA revenue comes from mom and pop internet store fronts
that aren't willing to wait that 90 days?

I started digging around on Geotrust's web site looking for their
policy on issuing certificates and stumbled across a FAQ on
high-assurance SSL certificates.  This sounds like a step in the right
direction.

http://www.geotrust.com/products/ssl_certificates/hassl_faq.asp

- Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
  - Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 16)
    - Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
    - Re: HTTP AUTH BASIC monowall Tim (Mar 17)
    - Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
  - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
    - Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
    - Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
  - Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)