Home page logo

bugtraq logo Bugtraq mailing list archives

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 17 Feb 2005 09:46:21 -0500

Thor (Hammer of God) wrote:

Hmmm... I'm confused now... You just said in your last post that average users don't want, need, or know how certificates work, and how your previous (and specious) point stood because of that fact. Yet here, you state that enough of a backlash from these users exists to keep a global entity like Symantec from taking action should they revoke a trusted CA from a users' certificate store even though the user (according to you) didn't know they trusted in the first place. Explain that.

Simple. If a major CA root is revoked, a large number of major sites will all start displaying browser warnings which will be an annoyance to the user, causing at least a decent percentage of them to question why they are getting a constantly recurring pop-up whenever they go to a large number of sites.

Users are only interested (and not always so, but often) in things that pop up in front of their faces and annoy them. The user wasn't aware of the CA before (since a root CA being automatically accepted by a browser will result in no warning message for the user on sites that use certs supplied by the CA) but are aware that something is up (and annoying) after (if) they update their browser.

So, no - it's neither specious nor is it confusing. It just requires some common sense and actual exposure to the user population. Something which some people here seem to be lacking.

Comparing CA accountability to meat sales isn't a valid analogy. Obviously, the CAs don't want to be regulated, but trusting them because of this is a bit like saying that business owners would never short-pay an employee because of fear of what the employees would do.

David was not comparing accountability to sales. He compared trust to trust. Pretty simple stuff.

David is the one who used the term sales - bring it up with him. Yeah, pretty simple stuff - which is why I disagreed with it.

Also, the fact that the CA market is competitive only further muddies the waters. Not all CAs are in the same country and their competition forces them to be price-competitive. This reduces the priority of being responsible. Or, to use your meat analogy, mass-produced meat tends to be of a lower quality than individually produced meat products, particularly in unregulated countries.

I acquiesce. I failed to take into account the multi-national not-for-profit CA's out there making a killing by scooping up the free end-user business that you claim does not exist in the first place.

Who said anything about not-for-profit?

People who think that the market will inherently protect them have been reading too much Ayn Rand and need to step away from the fiction-proposed-as-fact isle. No offense meant by that - it's said tongue-in-cheek. :)

No Barry, we just understand that the market corrects itself in these matters. That's how the market works. Once upon a time, there was no such thing as a certificate. Now it is a billion dollar biz. It has nothing to do with the BBB or who you think is the average user. I deploy and maintain an extensive PKI infrastructure for my company as I do for many of my clients. I'm happy to engage in further dialog regarding this subject so that I may have the opportunity to learn something, but before I do so, I'd like to get a glimpse into the vast PKI infrastructure you maintain so that I may prioritize your input. Please describe your Cert/PKI infrastructure so that we may all benefit from your knowledge.

Suffice it to say that I'm involved in maintaining one for a very large corportation. Frankly, I could care less how you prioritize what I say. You clearly have your own opinions on the matter, I personally feel that they don't take into account factors that are important.

You talk about browsers revoking trust in CAs as if it has no impact on the end user.

You talk as if it's a simple proposition for Microsoft or any other browser manufacturer to revoke a CA trust.

I'm saying that it's not, and that the browsers have to consider the affects on their customers. I'm also saying that corporations, in this case, don't always make the secure decision, but rather the decision that gives the user the greatest amount of likelihood of using their product.

If you disagree with this concept, I say that you're wrong.

It is a simple concept, yet you are continuing to disagree with it.

I'm sorry if you don't feel like you can learn anything from me, but I'm not here to teach you. I'm simply saying that you are not taking all of the factors into account. Feel free to disagree with that, but you'd still be wrong.

The CA and browser markets do not exist in a vacuum.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]