Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

From: Scott Gifford <sgifford () suspectclass com>
Date: Fri, 11 Feb 2005 23:03:11 -0500
Neil W Rickert <rickert+bt () cs niu edu> writes:


Scott Gifford <sgifford () suspectclass com> wrote on Feb 11, 2005:


Maybe I'm naive, but shouldn't a trustworthy root CA not sign
certificates for domain names which are obviously meant to be
deceptive?


Signing the certificate earns income for the CA and its shareholders,
and serves the customer who requested that the certificate be
signed.  If a CA were to set very high standards and check very
carefully, then it would price itself out of the market.

As a user of a browser I am not a customer of the CA, and it isn't
evident why the CA should be under any obligation to me.  They surely
are under an obligation to their shareholders and their customers.


My understanding of the business model was similar to an organization
like the Better Business Bureau; the customers are the ones paying to
be certified, because being certified gives them some extra
legitimacy.  BBB is able to do this because they have built up public
trust; essentially they're a reseller of public trust.  If they do a
poor job of screening, it reflects poorly on their customers, and
trust in them is reduced.

CAs serve a similar function.  If they have no public trust, what do
they have to sell?  Surely people don't pay them 50-100 bucks for the
5 seconds of CPU time it takes to sign the certificate...

----ScottG.
Previous By Date Next
Previous By Thread Next

Current thread: