Alaric Dailey wrote:
Actually many of them were, they were simply ignored by CAs and
developers that were more interested in making money selling snake oil
than doing things right. For example SSL for identification is
worthless without DNS being secured
Please outline briefly how an attack on the DNS can make SSL worthless?
I understand how it can make you connect to a machine you don't want to,
but that machine needs to have a certificate for the domain it is trying
to fake, signed by a CA in your root store. Isn't that right? If so, the
problem reduces to the one about getting certificates for domains you
don't control.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
