Full Disclosure: Re: HTTP AUTH BASIC monowall

["Brian Eaton" <eaton.lists () gmail com>]

On 3/16/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Wed, 15 Mar 2006 15:14:47 EST, Brian Eaton said:
> > tim-security at sentinelchicken.org wrote:
> > How trustworthy are the CA certificates included in the average browser?
> >
> > There are a couple of dozen CA certificates shipped with my browser.
> > Some of the vendors associated with these CA certificates offer to
> > give me a certificate for my web site in 10 minutes or less for a
> > couple of hundred dollars.
> >
> > This sounds like a really ripe opportunity for social engineering to me.
> Been there, done that already.  There was a phishing run a while ago,
> the guys even had a functional SSL cert for www.mountain-america.net (the
> actual bank was mntamerica.net or something like that..)
>
> Only real solution there is to get a good grip on what a CA is actually
> certifying, which is a certain (usually very minimal) level of
> *authentication*. They're certifying that somebody convinced them that the cert
> was for who they claimed it was for.  That's it.  Anybody who attaches any
> *other* meaning to it is making a big mistake.  In particular, "authorization"
> is totally out-of-scope here....
>
> "You are now talking to the site that one of the CAs you trust thinks belongs
> to Frobozz, Inc.".
>
> If you don't trust that CA's judgment, you better heave their root cert overboard...
Brian Krebs from the Washington Post wrote a column about the Mountain
America scam, and he even got somebody from Geotrust to comment on
what went wrong.

The column is here:
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

Here's the section of the article that has Geotrust's response:
<----snip---->
Joan Lockhart, the company's vice president of marketing, said the
site was registered on Sunday and the cert was issued early this
morning. Lockhart said Geotrust has a rigorous process in place to
check for phishy certificate requests that relies on algorithms which
check cert requests for certain words, misspellings or phrases that
may indicate a phisher is involved. In this case, she said, the
technology did not flag the request because there was nothing in the
Internet address to indicate the site was at all related to a
financial institution.

Geotrust's cert verification process is largely automated: when
someone requests a cert for a particular site, the company sends an
e-mail to the address included in the Web site's registrar records,
along with a special code that the recipient needs to phone in to
complete the process.

Lockhart said she doubted that inserting a human into that process
would have flagged the account as suspicious.

"I would argue that probably anyone who is processing
mountain-america.net would not have raised flags," she said.
<----snip---->

My read of that statement is that Geotrust sees nothing wrong with
their verification process and is not going to take any action to
prevent this from happening again.

The incentives for the CAs are in all the wrong places.  They suffer
no financial harm when they certify a false identity.  Instead, they
make a quick buck.

- Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/