Re: HTTP AUTH BASIC monowall

[Simon Smith <simon () snosoft com>]

Bkfsec,
    Damn well put man! I am glad to see that I'm not the only one who
feels weary about this.

bkfsec wrote:
> Valdis.Kletnieks () vt edu wrote:
>
> > Been there, done that already.  There was a phishing run a while ago,
> > the guys even had a functional SSL cert for www.mountain-america.net
> > (the
> > actual bank was mntamerica.net or something like that..)
> >
> > Only real solution there is to get a good grip on what a CA is actually
> > certifying, which is a certain (usually very minimal) level of
> > *authentication*. They're certifying that somebody convinced them
> > that the cert
> > was for who they claimed it was for.  That's it.  Anybody who
> > attaches any
> > *other* meaning to it is making a big mistake.  In particular,
> > "authorization"
> > is totally out-of-scope here....
> >
> > "You are now talking to the site that one of the CAs you trust thinks
> > belongs
> > to Frobozz, Inc.".
> >
> > If you don't trust that CA's judgment, you better heave their root
> > cert overboard...
> >
> >  
> And even then, as your example points out, it's possible for the CA to
> have "good judgment" and still not issue a certificate that is
> labelled to who you or I might think it is.  Company naming is in the
> venue of trademark law... it's not up to the CAs to choose names for
> companies... I could start a company called "Microsoft Software LLC"
> and as long as I wasn't lying through my teeth the CA would be within
> their rights to issue the cert... the trick is that I'd probably not
> win a trademark battle in the courts and that during the lagtime in
> between, I'd probably be able to dupe quite a few people if I were so
> inclined (and I'm not).
>
> All verifying a cert proves is that the computer on the other end has
> the matching cert and that the certificate authorities say that the
> cert is still valid.  That's it.  Nothing else.
>
> Frankly, the whole "web of trust" is a flawed idea.  "Because A trusts
> B, and B trusts C, then A can (must?) trust C" is, excuse the lack of
> civility, utter bullshit.
> I trust my friends, it doesn't mean that I trust their friends.  In
> this case, it's even more flawed because we're not talking about
> trusting a friend of a friend... we're talking about trusting people
> that our friends have met on the street... and that's it.
>
> There's no better replacement for it at this moment, but the
> assumptions made in it are flawed beyond their targetted application.
>
>          -bkfsec
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Regards, 
        Jackass


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/