Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Wed, 16 Feb 2005 13:49:54 -0500 (EST)
On Wed, 16 Feb 2005, bkfsec wrote:
The local BBB is accountable to local laws. CAs are spread throughout the world and are global in nature. As a member of a local community, I can choose to familiarize myself with those regulations, understand them, and use them against the BBB if they violate their trust. I can also choose to go on a crusade against the local BBB.I think that deep down we're agreeing on the point that they're inherently untrustworthy. My point in saying "if you take my meaning" was to hi-light that rather than focus on this relatively minor nitpicking of point. I'm not the first one in this thread to bring up the BBB. So take your point up with the person who did bring it up, please.
Actually I'm just trying to be explicitly clear about the path that you're using for trust. The BBB just happens to be the example that you'd used as an organization that you'd trust more than your average CA. As I'm reading you, you're saying that you: (1) trust establishments that you can see and touch more than you trust establishments that you can't see or touch. (2) trust establishments that are bound by a legal system that you're familiar with more than establishments that are bound by a legal system that you aren't familiar with. IMHO the question is more about what your particular grounds for trust happen to be than whether CAs are all/partially/not trustworthy - or if the BBB in your area happens to be trustworthy.Personally I'd really debate the concept that physical proximity is in any respect grounds for trust - and that familiarity implies the same.
I'd be far more inclined to suggest using consistent long term behaviouras a predictor - and implementing a system where significant incentives towards desired behaviour exist.
cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
Current thread:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs., (continued)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Will Kamishlian (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 11)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Neil W Rickert (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Ron DuFresne (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Seth Breidbart (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Will Kamishlian (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. George Capehart (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 14)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Vincent Archer (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Thor (Hammer of God) (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Stefan Paletta (Feb 17)