Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Scott Gifford <sgifford () suspectclass com>
Date: Fri, 11 Feb 2005 23:03:11 -0500
Neil W Rickert <rickert+bt () cs niu edu> writes:
Scott Gifford <sgifford () suspectclass com> wrote on Feb 11, 2005:Maybe I'm naive, but shouldn't a trustworthy root CA not sign certificates for domain names which are obviously meant to be deceptive?Signing the certificate earns income for the CA and its shareholders, and serves the customer who requested that the certificate be signed. If a CA were to set very high standards and check very carefully, then it would price itself out of the market. As a user of a browser I am not a customer of the CA, and it isn't evident why the CA should be under any obligation to me. They surely are under an obligation to their shareholders and their customers.
My understanding of the business model was similar to an organization like the Better Business Bureau; the customers are the ones paying to be certified, because being certified gives them some extra legitimacy. BBB is able to do this because they have built up public trust; essentially they're a reseller of public trust. If they do a poor job of screening, it reflects poorly on their customers, and trust in them is reduced. CAs serve a similar function. If they have no public trust, what do they have to sell? Surely people don't pay them 50-100 bucks for the 5 seconds of CPU time it takes to sign the certificate... ----ScottG.
Current thread:
- International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Brandon Kovacs (Feb 07)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Simon Østengaard (Feb 09)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Will Kamishlian (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 11)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Neil W Rickert (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Ron DuFresne (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Seth Breidbart (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. George Capehart (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 14)