On 11/09/2011, at 1:30, Douglas Huff <[email protected]> wrote:
> On Sep 10, 2011, at 8:28 AM, Ian G wrote: > >> Hi Adam, >> >> On 10/09/2011, at 20:16, Adam Back <[email protected]> wrote: >> >>> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt >>> see anyone define it on this list, >> >> Adam described it in this list. The specific mechanism is less important >> than what it achieves: the browser knows that the website is constrained to >> use the certs of only one CA. >> >> The rest is implementation detail. > > It's not at all though! :) > Today CA compromise isn't even a, let alone the most, common way of > "exploiting" the blanket trust of all CAs involved in the PKI infrastructure. Is the current attack an exploit? Or is it a direct attack on the infrastructure? > The two most common methods are: > 1) MITM where the attacker controls the victim's network connection to some > extent and redirects them to or proxies them through a different server. Do you have any numbers on that? I thought this was relatively rare. > 2) Phishing using a similar-looking domain name. Yes. That's the big one in this space. Afaik. > In case 1 any type of pinning that is not hardcoded in the software, Sorry, please explain? Are you assuming that the user's machine / browser is compromised? If that is the case, isn't hard-coding just obfuscation? Iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
