Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: bkfsec <bkfsec () sdf lonestar org>
Date: Thu, 17 Feb 2005 09:25:28 -0500
David Schwartz wrote:
Wow. You just conceded that there is significant pressure on major vendors to not counter the CA, and then claimed that some ethereal other would magically be able to enforce it where Symantec couldn't.Then somebody else would. Market demand creates solutions. I can't see how the legal issues are any different from the ones they face when they label software as adware or spyware.
Market demand sometimes does create solutions, however to claim that it does without fail is a bit naive.
So, if not Symantec, then who else do you propose would?
t's also like saying that corporations never form trusts and price fix for fear of the consumer.No, they never do so because such strategies only work in very unusual circumstances. Nobody can make a person pay more for something than it is worth.
History disagrees with you. So do a number of economists.
I'm not assuming anything, I'm making an argument why it would be self-destructive for any CA to adopt such a strategy. That doesn't mean they won't do it, people certainly do stupid things when they think they can get away with it. But the fact is, CAs can't get away with it. So if they think they can, they will quickly be proven wrong.
It would harm them, yes, but they very well can get away with it.
It's interesting how you cite market dynamics in your arguments, but disregard them when they aren't favorable to your point.Also, the fact that the CA market is competitive only further muddies the waters. Not all CAs are in the same country and their competition forces them to be price-competitive. This reduces the priority of being responsible. Or, to use your meat analogy, mass-produced meat tends to be of a lower quality than individually produced meat products, particularly in unregulated countries.I could not disagree more. All a CA has to sell is its trust. The trust is its product. CAs sell trust, they are in the trust business. If a CA loses the trust of browser vendors, it has nothing to sell. If a CA loses the trust of users, pressure will be put on browser vendors.
If hundreds of thousands of sites use a particular CA as their root, then removing the CA trust from the browser will cause an annoyance for the browser consumer, resulting in 1 of 2 possible outcomes:
1) People learn to modify their configs and setup the CA as trusted. 2) People move to browsers that trust that CA by default.The only way that a CA can lose the trust of the browser users is if the browser users understand how the CAs work and understand how to put pressure on the browser market to achieve that end result.
Again, we get back to the fact that most end users (browser market customers) can barely turn on their PCs, nevermind understand or care about CA trust relationships. You have to put yourself into that position and think like they do before you should ever propose a pie-in-the-sky market solution to something like this.
There are millions of people out there who don't trust the MPAA or the RIAA, for that matter. Not having the trust of the people hasn't stopped them. Again, you've chosen a very poor example.People who think that the market will inherently protect them have been reading too much Ayn Rand and need to step away from the fiction-proposed-as-fact isle. No offense meant by that - it's said tongue-in-cheek. :)Except that it does. Especially when all a company has to sell is its trust. This is true in many markets where companies have specifically set up to sell trust. You don't see people bribing the MPAA or Consumer Reports. Because such things could not possibly be hidden, and there's an immediate market remedy (stop trusting).
The market does not inherently protect people. Anyone who believes that is reality impaired and doesn't have a very good understanding of history nor economics.
-Barry
Current thread:
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- <Possible follow-ups>
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Bill Brown (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. lyal.collins (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Tosoni (Feb 17)