Alaric Dailey wrote:
Sure even if we don't
steal the cert, most users don't read error boxes so you could redirect
them and use a fake cert.
This is again an orthogonal problem. Browser handling of things like
hostname/cert mismatches is abysmal. If they don't match, we should not show
the site, period. In my opinion, of course.
If we ignore for the moment that that IP does not resolve and pretend
it did...
Try removing the space.
I did that the first time. But yeah in current browsers, you get a long dialog
that most users would completely ignore. This needs to be fixed.
Actually, even if you have the right IP you _still_ might be in the
wrong place thanks to virtual hosting.
exactly! and one more place for an attack.
But again, if the cert presented doesn't match the hostname the browser
requested the browser should not show the result.
I would assert that some CAs do the job of identity validation quite
well, and that even given the problems with RegisterFly and Verisigns
famous Microsoft mistake, that CAs attempt to do a good job at that.
Given some of the URIs posted in this thread earlier (demo sites that had certs
with an O field set to Fleet and a Fleet spoof on the front page, etc), I just
don't have the faith that you do in existing CAs.
And really, if you only get $20 for a cert you can't afford to do good
validation. That only pays for at most 30 minutes of time for anything
resembling a competent employee...
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
