Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Rainer Duffner <rainer () ultra-secure de>
Date: Fri, 18 Feb 2005 01:50:06 +0100
Vincent Archer wrote:
On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:I'm not assuming anything, I'm making an argument why it would be self-destructive for any CA to adopt such a strategy. That doesn't mean they won't do it, people certainly do stupid things when they think they can get away with it. But the fact is, CAs can't get away with it. So if they think they can, they will quickly be proven wrong.Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to somebody who simply said he was a Microsoft employee, and they didn't do any check about the identity of the person, what happened? Nothing. Except issuing a couple of "oops" certificate revocations. I can't even find a public announce by Verisign stating they would take actions to correct their own validation procedures and avoid repetition of the incorrect (and for a public CA, inexcusable) behaviour. Everybody here hopes they fixed their procedures... but no one even knows.
I, too, would be interested in some kind of "lessons learned"-document, describing why this could happen at all - and how Verisign wanted to avoid it in the future.
It's really a pitty that the root-CAs in browsers haven't been subject to more public scrutiny - now and back then.
cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer () ultra-secure de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
Current thread:
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Vincent Archer (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Rainer Duffner (Feb 19)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 17)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. David Schwartz (Feb 17)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- <Possible follow-ups>
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Bill Brown (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. lyal.collins (Feb 16)
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Tosoni (Feb 17)