Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Fri, 17 Mar 2006 20:10:27 -0000
Jason Coombs wrote:
Brian Eaton wrote:I'd like to see their process changed so that it included a more serious check into the business whose web site they are verifying.This makes no sense at all, and is simply impossible within the DNS system. Furthermore, all verification done by any CA can be easily fooled.
That may be the case in practice, but it's surely not an absolute
theoretical limitation? I would have thought it should be perfectly
/possible/ to set up a CA that really did do a good job; that wouldn't issue
a certificate except in person, that insists on sending one of the CA's
staff round to the subscriber's business premises to meet them personally,
look at the buildings, look at whether it's an established business with a
history of trading, ask to see customer testimonials, etc. etc.
It might still be possible to fool them but it would suddenly require you
to hire a bunch of actors, rent business premises, forge dozens of copies of
old newspapers to look like you've been in existence and advertising for
some years.... it's suddenly a /much/ steeper barrier than some stupid
automated system that some stupid skiddie can email from some stupid open
proxy.
And of course that's the real reason why CA verification can be defeated:
not because there's some technical, logical, social or moral impossibility
about it; merely because automation is cheap and the corporations that
perform it are cheapskates who care only about the bottom line and don't
mind providing a shit service that fails to fulfill its requirements.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall, (continued)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)
