Home page logo

bugtraq logo Bugtraq mailing list archives

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Vincent Archer <var () deny-all com>
Date: Thu, 17 Feb 2005 10:12:48 +0100

On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
      I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.

Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?

Nothing. Except issuing a couple of "oops" certificate revocations.

I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.

Obviously, CA can get away with it. They merely have to say "oops", and
4 years later, they're still in all browsers. Heck, they're still in mine:
if I remove their root CA, all I get for my vigilance is lots of popups
insisting that the site I'm visiting is "not trusted".

People who think that the market will inherently protect them have been
reading too much Ayn Rand and need to step away from the
fiction-proposed-as-fact isle.  No offense meant by that - it's said
tongue-in-cheek.  :)

      Except that it does. Especially when all a company has to sell is its
trust. This is true in many markets where companies have specifically set up
to sell trust. You don't see people bribing the MPAA or Consumer Reports.
Because such things could not possibly be hidden, and there's an immediate
market remedy (stop trusting).


But the market pressure isn't there in the case of CA. Because 99% of the
"users" of CAs do not even know that CA even exists. CAs are not selling
the trust of users. They're selling slots in popular browsers to web sites.
They're not saying "we're trusted by people", they say "we're trusted by
browser makers".

Vincent ARCHER
varcher () denyall com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]