On 3/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Wed, 15 Mar 2006 15:14:47 EST, Brian Eaton said: > > tim-security at sentinelchicken.org wrote: > > > How trustworthy are the CA certificates included in the average browser? > > > > There are a couple of dozen CA certificates shipped with my browser. > > Some of the vendors associated with these CA certificates offer to > > give me a certificate for my web site in 10 minutes or less for a > > couple of hundred dollars. > > > > This sounds like a really ripe opportunity for social engineering to me. > > Been there, done that already. There was a phishing run a while ago, > the guys even had a functional SSL cert for www.mountain-america.net (the > actual bank was mntamerica.net or something like that..) > > Only real solution there is to get a good grip on what a CA is actually > certifying, which is a certain (usually very minimal) level of > *authentication*. They're certifying that somebody convinced them that the > cert > was for who they claimed it was for. That's it. Anybody who attaches any > *other* meaning to it is making a big mistake. In particular, "authorization" > is totally out-of-scope here.... > > "You are now talking to the site that one of the CAs you trust thinks belongs > to Frobozz, Inc.". > > If you don't trust that CA's judgment, you better heave their root cert > overboard... >
Brian Krebs from the Washington Post wrote a column about the Mountain America scam, and he even got somebody from Geotrust to comment on what went wrong. The column is here: http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html Here's the section of the article that has Geotrust's response: <----snip----> Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution. Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process. Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious. "I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said. <----snip----> My read of that statement is that Geotrust sees nothing wrong with their verification process and is not going to take any action to prevent this from happening again. The incentives for the CAs are in all the wrong places. They suffer no financial harm when they certify a false identity. Instead, they make a quick buck. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
