Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Does VeriSign's SiteFinder service violate the ECPA?
From: Justin Hahn <jeh () profitlogic com>
Date: Thu, 25 Sep 2003 10:47:02 -0400

The point I think Mr. Smith is trying to make is that Verisign seems
to *want* to intercept this private information and use it to their
own commercial advantage.  Respectable sysadmins do not wish to receive
form data intended for other sites.

As an aside, I find it very curious that people characterize HTTP
traffic done in the clear (i.e. unencrypted) on the public internet
as private data. If I shout my Social Security Number out loud in
public, I am surely to blame for any losses I might incur from this act.
HTTP traffic on the net is nominally analogous.

Now, if they were using some sort of wildcard SSL cert (technically, this is
doable. Most browsers support a wildcard CN cert, but curiously Verisign is
one of the CAs that DOESN'T issue them.) then it'd be a different story.

Something to consider is if I've got a website foobar.com and it's a secure
site, what happens if I accidentally direct traffic to foobarrr.com, which
is actually SiteFinder+SSL. Hopefully the browser will alert the user that
they are connecting to a different site with a different cert. However, it's
quite likely that won't happen. (and if it does, I'm betting it's one of the
popups that most users disable.)

I'd be careful making legal arguments, but I suspect that if Verisign is
doing anything with this data they are justifying it as being "Public" and
that if people are foolish enough to transmit "Private" data in a "Public" 
medium they can't be held liable. (But of course, that's for the courts to
decide, and I wouldn't shed a tear if a judge disagreed with that 
interpretation.)

--jeh


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault