Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Thu, 16 Mar 2006 15:10:50 -0500
On 3/16/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Wed, 15 Mar 2006 15:14:47 EST, Brian Eaton said:tim-security at sentinelchicken.org wrote:How trustworthy are the CA certificates included in the average browser? There are a couple of dozen CA certificates shipped with my browser. Some of the vendors associated with these CA certificates offer to give me a certificate for my web site in 10 minutes or less for a couple of hundred dollars. This sounds like a really ripe opportunity for social engineering to me.Been there, done that already. There was a phishing run a while ago, the guys even had a functional SSL cert for www.mountain-america.net (the actual bank was mntamerica.net or something like that..) Only real solution there is to get a good grip on what a CA is actually certifying, which is a certain (usually very minimal) level of *authentication*. They're certifying that somebody convinced them that the cert was for who they claimed it was for. That's it. Anybody who attaches any *other* meaning to it is making a big mistake. In particular, "authorization" is totally out-of-scope here.... "You are now talking to the site that one of the CAs you trust thinks belongs to Frobozz, Inc.". If you don't trust that CA's judgment, you better heave their root cert overboard...
Brian Krebs from the Washington Post wrote a column about the Mountain America scam, and he even got somebody from Geotrust to comment on what went wrong. The column is here: http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html Here's the section of the article that has Geotrust's response: <----snip----> Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution. Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process. Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious. "I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said. <----snip----> My read of that statement is that Geotrust sees nothing wrong with their verification process and is not going to take any action to prevent this from happening again. The incentives for the CAs are in all the wrong places. They suffer no financial harm when they certify a false identity. Instead, they make a quick buck. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Tim (Mar 16)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 17)
- Re: HTTP AUTH BASIC monowall Tim (Mar 17)
- Re: HTTP AUTH BASIC monowall bkfsec (Mar 16)
- Re: HTTP AUTH BASIC monowall Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 17)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- Re: HTTP AUTH BASIC monowall Brian Eaton (Mar 16)
- Re: HTTP AUTH BASIC monowall Valdis . Kletnieks (Mar 16)
- <Possible follow-ups>
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Jason Coombs (Mar 16)
- Re: HTTP AUTH BASIC monowall Dave Korn (Mar 17)