[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Vincent Archer <var@xxxxxxxxxxxx>
Date: Thu, 17 Feb 2005 10:12:48 +0100

On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>       I'm not assuming anything, I'm making an argument why it would be
> self-destructive for any CA to adopt such a strategy. That doesn't mean they
> won't do it, people certainly do stupid things when they think they can get
> away with it. But the fact is, CAs can't get away with it. So if they think
> they can, they will quickly be proven wrong.

Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?

Nothing. Except issuing a couple of "oops" certificate revocations.

I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.

Obviously, CA can get away with it. They merely have to say "oops", and
4 years later, they're still in all browsers. Heck, they're still in mine:
if I remove their root CA, all I get for my vigilance is lots of popups
insisting that the site I'm visiting is "not trusted".

> > People who think that the market will inherently protect them have been
> > reading too much Ayn Rand and need to step away from the
> > fiction-proposed-as-fact isle.  No offense meant by that - it's said
> > tongue-in-cheek.  :)
> 
>       Except that it does. Especially when all a company has to sell is its
> trust. This is true in many markets where companies have specifically set up
> to sell trust. You don't see people bribing the MPAA or Consumer Reports.
> Because such things could not possibly be hidden, and there's an immediate
> market remedy (stop trusting).

Probably.

But the market pressure isn't there in the case of CA. Because 99% of the
"users" of CAs do not even know that CA even exists. CAs are not selling
the trust of users. They're selling slots in popular browsers to web sites.
They're not saying "we're trusted by people", they say "we're trusted by
browser makers".

-- 
Vincent ARCHER
varcher@xxxxxxxxxxx

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

Follow-Ups:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Rainer Duffner

References:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: bkfsec
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: David Schwartz

Prev by Date: Remote Windows Kernel Exploitation - Step Into the Ring 0
Next by Date: RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread