[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: bkfsec <bkfsec@xxxxxxxxxxxxxxxx>
Date: Wed, 16 Feb 2005 10:28:42 -0500

Thor (Hammer of God) wrote:

The number of people that you know (or who I know) that are aware of the uses for client certificates is not what drives commercial certificate authority business models. The simple fact of the matter is that user-level certificates are an important part of the commercial certificate authority plan, and becoming more and more so as your "average" users become aware of certificate applications.

Actually, the number of people who are aware of the functioning and usage of certificates is very important to the web of trust and, as such, the business model. The "trustworthiness" of the CA is only affected if enough people refuse to accept their certificates.

When I got my NIC handle untold years ago, only 561 other humans had one. Your logic would preclude getting one in the first place, since no one knew they existed at the time. When SSL certs were first being created commercially, how many server operators did you know that had one? How many do you know now? It's the same thing with client certs, and the logic stands that certificate applications apply to them as well; particularly in regard to the business and marketing models various certificate authorities are running their business by. That was the point.

No - implying that my logic implies anything itself implies that I made a recommendation against certification. I did no such thing.

The CAs have many uses and the way that they are used right now is good. However, the question is whether you can trust them to moderate IDN or any other site as trusted authorities.

My proposition is that the argument that they (and their associated webs of trust) are inherently trustworthy because of external pressures is a flawed assumption because they do not have the proposed level of pressure applied to them since most of the people affected by their web of trust don't understand it.

Until the average person can read and understand certs, my point stands.

-Barry

References:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Neil W Rickert
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: David Schwartz
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Vincent Archer
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Thor (Hammer of God)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: bkfsec
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Thor (Hammer of God)

Prev by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread