Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Fri, 17 Mar 2006 20:10:27 -0000
Jason Coombs wrote:
Brian Eaton wrote:I'd like to see their process changed so that it included a more serious check into the business whose web site they are verifying.This makes no sense at all, and is simply impossible within the DNS system. Furthermore, all verification done by any CA can be easily fooled.
That may be the case in practice, but it's surely not an absolute theoretical limitation? I would have thought it should be perfectly /possible/ to set up a CA that really did do a good job; that wouldn't issue a certificate except in person, that insists on sending one of the CA's staff round to the subscriber's business premises to meet them personally, look at the buildings, look at whether it's an established business with a history of trading, ask to see customer testimonials, etc. etc. It might still be possible to fool them but it would suddenly require you to hire a bunch of actors, rent business premises, forge dozens of copies of old newspapers to look like you've been in existence and advertising for some years.... it's suddenly a /much/ steeper barrier than some stupid automated system that some stupid skiddie can email from some stupid open proxy. And of course that's the real reason why CA verification can be defeated: not because there's some technical, logical, social or moral impossibility about it; merely because automation is cheap and the corporations that perform it are cheapskates who care only about the bottom line and don't mind providing a shit service that fails to fulfill its requirements. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall, (continued)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)