[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
- From: Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>
- Date: Mon, 14 Feb 2005 06:32:41 -0800
> From: Scott Gifford [mailto:sgifford@xxxxxxxxxxxxxxxx]
> Sent: Friday, 11 February, 2005 14:07
>
> Isn't this the entire reason for browsers coming with a
> small list of CAs which are deemed trustworthy?
What "small list"? IE contains root certificates with server-authentication
rights from some 37 organizations. That's not the number of roots - that's
the number of organizations who have gotten Microsoft to include one or more
roots.
Do you deem all of them trustworthy? Do you even have any idea who they
are? Do you suppose that the vast majority of users even know what a root
cert or a CA is? They put their trust in "the system" - they've been told
that it's safe to reveal sensitive information if they see a little padlock
icon in their browser.
Anything that makes it easier for an attacker to confuse that class of user
- the dominant class - about what site they're actually using when that
little padlock appears is *in practice* a serious security risk. It doesn't
matter whether it's well-intentioned or technically elegant; it's a problem,
and CAs are not going to save us from it.
Unfortunately, while it might appear that Verisign has shot itself in the
foot with IDNs, in practice they have monopolistic power and a market which
doesn't understand the product they're selling, and consequently can't make
rational decisions. (Not that consumers generally make rational decisions
anyway.) Verisign can probably devalue its own product pretty much
arbitrarily without significant bottom-line impact.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus