WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Wed, 28 Jul 2004 10:00:24 -0700
Rubbish. The problem is very real: How do I verify someone's identity, if I know nothing about them? Certificate Authorities solve this problem by verifying this unknown person for me - and subsequently signing his certificate. Now, I only need to trust the CA's and their vetting process, and I automatically trust the people they've vetted.
But the vetting process for a free email cert is minimal. I've received certs for all sorts of other names because it's easy to create email addresses, including using names like bill.clinton () hotmail com and then getting a cert for that email address. And nobody has any other cert today, so relying on such certs is pointless because they don't exist. This gets much murkier when for international communications. And how do you know to trust some of the 40+ CAs that are out there? Verisign once issued two certs for Microsoft to criminals, and Verisign surely is the leader and a Microsoft cert certainly must have undergone the utmost rigor, yet there you have it. Have you never heard of a forged passport of driver's license? The more credentials, the more we're suckered into believing something when we see the credential, even if the credential is not legit. And as for SSL, only the web site requires them, and it's rather easy to trick people into believing they are secure when they are not, including having a legit cert for a domain that tricks people long enough to do the crime, like www.microsoft-support.biz or whatever... David
Current thread:
- Re: Growing Bad Practice with Login Forms, (continued)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)