Boris Zbarsky wrote:
Alaric Dailey wrote:
Sure even if we don't steal the cert, most users don't read error
boxes so you could redirect them and use a fake cert.
This is again an orthogonal problem. Browser handling of things like
hostname/cert mismatches is abysmal. If they don't match, we should
not show the site, period. In my opinion, of course.
I would tend to agree along with a few other things.
If we ignore for the moment that that IP does not resolve and
pretend it did...
Try removing the space.
I did that the first time. But yeah in current browsers, you get a
long dialog that most users would completely ignore. This needs to be
fixed.
Actually, even if you have the right IP you _still_ might be in the
wrong place thanks to virtual hosting.
exactly! and one more place for an attack.
But again, if the cert presented doesn't match the hostname the
browser requested the browser should not show the result.
However, with a DNS attack in combination (drive by pharming, dns
hijacking, hostfile modification with malware etc... ), the browser
becomes helpless to detect the problem.
In any case, if the user clicks thru the warning box, or if the DNS is
hijacked so the browser can't tell, the assertion of the identity in the
certificate is meaningless. This has been my statement about how DNS
can sabotage identity assertions all along.
But then again this DNS issue was only one specific example of a
particular problem with SSL, one of many that EV certs do NOT address. I
really didn't mean for it to start this whole argument. However, it
appears that many people are unaware of the problems, and indeed what
SSL does and does not do, and how truly intertwined it is with DNS.
<http://cert.startcom.org/?app=109>
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
