mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 17 Feb 2005 09:46:21 -0500
Thor (Hammer of God) wrote:
Hmmm... I'm confused now... You just said in your last post that
average users don't want, need, or know how certificates work, and how
your previous (and specious) point stood because of that fact. Yet
here, you state that enough of a backlash from these users exists to
keep a global entity like Symantec from taking action should they
revoke a trusted CA from a users' certificate store even though the
user (according to you) didn't know they trusted in the first place.
Simple. If a major CA root is revoked, a large number of major sites
will all start displaying browser warnings which will be an annoyance to
the user, causing at least a decent percentage of them to question why
they are getting a constantly recurring pop-up whenever they go to a
large number of sites.
Users are only interested (and not always so, but often) in things that
pop up in front of their faces and annoy them.
The user wasn't aware of the CA before (since a root CA being
automatically accepted by a browser will result in no warning message
for the user on sites that use certs supplied by the CA) but are aware
that something is up (and annoying) after (if) they update their browser.
So, no - it's neither specious nor is it confusing. It just requires
some common sense and actual exposure to the user population. Something
which some people here seem to be lacking.
Comparing CA accountability to meat sales isn't a valid analogy.
Obviously, the CAs don't want to be regulated, but trusting them
because of this is a bit like saying that business owners would never
short-pay an employee because of fear of what the employees would do.
David was not comparing accountability to sales. He compared trust to
trust. Pretty simple stuff.
David is the one who used the term sales - bring it up with him. Yeah,
pretty simple stuff - which is why I disagreed with it.
Also, the fact that the CA market is competitive only further muddies
the waters. Not all CAs are in the same country and their
competition forces them to be price-competitive. This reduces the
priority of being responsible. Or, to use your meat analogy,
mass-produced meat tends to be of a lower quality than individually
produced meat products, particularly in unregulated countries.
I acquiesce. I failed to take into account the multi-national
not-for-profit CA's out there making a killing by scooping up the free
end-user business that you claim does not exist in the first place.
Who said anything about not-for-profit?
Suffice it to say that I'm involved in maintaining one for a very large
Frankly, I could care less how you prioritize what I say. You clearly
have your own opinions on the matter, I personally feel that they don't
take into account factors that are important.
People who think that the market will inherently protect them have
been reading too much Ayn Rand and need to step away from the
fiction-proposed-as-fact isle. No offense meant by that - it's said
No Barry, we just understand that the market corrects itself in these
matters. That's how the market works. Once upon a time, there was no
such thing as a certificate. Now it is a billion dollar biz. It has
nothing to do with the BBB or who you think is the average user. I
deploy and maintain an extensive PKI infrastructure for my company as
I do for many of my clients. I'm happy to engage in further dialog
regarding this subject so that I may have the opportunity to learn
something, but before I do so, I'd like to get a glimpse into the vast
PKI infrastructure you maintain so that I may prioritize your input.
Please describe your Cert/PKI infrastructure so that we may all
benefit from your knowledge.
You talk about browsers revoking trust in CAs as if it has no impact on
the end user.
You talk as if it's a simple proposition for Microsoft or any other
browser manufacturer to revoke a CA trust.
I'm saying that it's not, and that the browsers have to consider the
affects on their customers. I'm also saying that corporations, in this
case, don't always make the secure decision, but rather the decision
that gives the user the greatest amount of likelihood of using their
If you disagree with this concept, I say that you're wrong.
It is a simple concept, yet you are continuing to disagree with it.
I'm sorry if you don't feel like you can learn anything from me, but I'm
not here to teach you. I'm simply saying that you are not taking all of
the factors into account. Feel free to disagree with that, but you'd
still be wrong.
The CA and browser markets do not exist in a vacuum.
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 18)
RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Nick FitzGerald (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 18)