Gervase Markham wrote:
Alaric Dailey wrote:
Actually many of them were, they were simply ignored by CAs and
developers that were more interested in making money selling snake
oil than doing things right. For example SSL for identification is
worthless without DNS being secured
Please outline briefly how an attack on the DNS can make SSL worthless?
I understand how it can make you connect to a machine you don't want
to, but that machine needs to have a certificate for the domain it is
trying to fake, signed by a CA in your root store. Isn't that right?
If so, the problem reduces to the one about getting certificates for
domains you don't control.
Two Attacks spring to mind, both start with "Poison the cache or hijack
the DNS completely"
1. then redirect the http: connect to a look-a-like site that has an
SSL cert that the got honestly, hell it might even be an EV cert so the
users get the green bar. Because the cert will be valid, the user won't
know any different.
2. steal the cert, which is easier than you might think since
something like 80% of all security breaches are internal, and setup a
site using the stolen cert. as most users don't have certificate
checking turned on.
The anti-fraud list over at CAcert has gone over these, and many other
possibilities. I didn't even touch on self-signed certs, making
look-a-like CAs etc....
If you ask me, all Mozilla products should be configured to reject
self-signed certs for sites, there is no reason for them. heck I even
found a Mozilla security announcement.
http://www.mozilla.org/security/announce/2006/mfsa2006-58.html
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
