WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: Stephen de Vries <stephen () corsaire com>
Date: Wed, 28 Jul 2004 11:40:39 +0100
On 28 Jul 2004, at 03:25, Jason Coombs PivX Solutions wrote:
Toro, Daniel wrote: > Maybe the certificate is hard (near impossible?) to fakecertificate chain validation flaws exist in Internet Explorer, Mozilla, and other browsers that enable anyone to forge any server certificate.
I assume you're referring to the vulnerabilities discovered in IE around 2001 (Ref: http://www.securityfocus.com/bid/2735). After patching and then promptly breaking the patch, Microsoft have apparently resolved the issue, as described here: http://www.microsoft.com/technet/security/bulletin/MS02-050.mspx
As for "Mozilla and other browsers", I assume you're referring to the X.509 Certificate Chain vulnerability announced in Aug 2002 here: http://www.securityfocus.com/bid/5410/. These issues have been addressed, as described in the solution. Are you referring to other certificate vulnerabilities that have not been patched for over a year?
I would say that certificate-based server authentication is dead, except that it is still produces huge annual revenues for the companies that sell this useless snake oil remedy for a problem that doesn't exist.
Rubbish. The problem is very real: How do I verify someone's identity, if I know nothing about them? Certificate Authorities solve this problem by verifying this unknown person for me - and subsequently signing his certificate. Now, I only need to trust the CA's and their vetting process, and I automatically trust the people they've vetted.
Nobody has trouble communicating their public key to the people who need to know what it is.
BUT they have a great deal of trouble ensuring that the public key belongs to that person, and that the person is who they claim to be. Anyone can generate a public-private key pair, but not everyone can have their private key signed by a trusted CA.
The tax man must be paid else the padlock will not appear. Certificates are a means of extracting money from people who want to do something meaningful with the Web.
To deduce that the entire certificate architecture is flawed because you don't agree with the business practices of certificate authorities, is illogical captain.
If you have a real critique of the certificate system as implemented through SSL, then please present your argument in a logical and coherent form. No it's not a perfect system, and there are flaws, but these can be addressed without rewriting the entire concept of using certificates.
Stephen.
Current thread:
- RE: successful anonymous login, (continued)
- RE: successful anonymous login Yaakov Yehudi (Jul 28)
- RE: successful anonymous login V. Poddubnyy (Jul 27)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)