Re: Proposal for Mozilla CA policy extension

Thu, 01 Mar 2007 18:23:42 -0800 

Boris Zbarsky wrote:

Alaric Dailey wrote:

3. set up DNS and 2 severs on separate IPs with that cert



Again, you're predicating all your arguments on a stolen cert.  Again, 
once this has happened you've lost, whether DNS is secure or not.  But 
at this point several people have told you this repeatedly; it's 
pretty clear that you're going to consider implicitly using this 
strawman situation no matter what.



This is only one possible attack, how about setting up an MITM to the 
real site to skim passwords and creditcard info? Sure even if we don't 
steal the cert, most users don't read error boxes so you could redirect 
them and use a fake cert.




Point your browser to  https:// 70.167.227.244 and tell me, is that 
the right site?



If we ignore for the moment that that IP does not resolve and pretend 
it did... 

Try removing the space.

no, that's not the right site -- the hostname doesn't match the 
hostname in the cert.



do you know?   What IP should you get going to? are you sure?



The answer to that could be "any of this list of 10 IPs" for a single 
hostname, or "this one IP" for two totally different hostnames, of 
course.



Without DNS to translate the IP into something meaningful, and 
something the browser can match to (you know that DNS field in the 
cert), you have no idea you are at the right place.



Actually, even if you have the right IP you _still_ might be in the 
wrong place thanks to virtual hosting.

exactly! and one more place for an attack.



Browsers present SSL websites to users with an only slightly better 
illuminated box.... Most users have no idea there is something TO 
check much less how.



Yes, and further most users have no desire to learn what there is to 
check and how one would do it.  They just want to get their stuff 
(banking, job, whatever) done.



Secure DNS would be great to have.  Secure DNS in no way alleviates 
the problem of anyone being able to get a cert in someone else's name 
(which is pretty much where we are right now).  Both problems need to 
be addressed.

I would assert that some CAs do the job of identity validation quite 
well, and that  even given the problems  with RegisterFly and Verisigns 
famous Microsoft mistake, that CAs attempt to do a good job at that.


_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security



























					Reply via email to