Having a more complete cert would raise the bar for social engineering attacks like the one being done at the fake MSN Web site. Right now, the ActiveX control gives the impression that it is coming from Microsoft.
Another fix for this kind of problem is that Internet Explorer checks with the issuing agency to see if a cert has been revoked before the ActiveX control is allowed to be installed. Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 12, 2003 1:34 PM To: Richard M. Smith Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] MSN Webcam / Chat Spoof On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith" <[EMAIL PROTECTED]> said: > My question: Why can't an Authenticode certificate present the > following information to a user: > > - Company name > - Street address > - Phone number > - Web site URL > - Contact Email address > - Company logo > - Link to a product description page OK.. .So you get a cert - now other than "phone number", is there anything there that *really* increases your confidence level (given that you have 2 http:// and a mailto: URL, and they could all point at a hijacked server)? Remember that there has already been one well-publicized case of Verisign issuing a bogus Microsoft cert - there's no proof they haven't made the same social-engineering whoops on possibly *dozens* of lesser-known software houses. And after the dot-bombed era, there's probably a *lot* of places that had certs and went belly up - and said certs went out the door when the servers they were on got surplused. I'm sure snooping around the right hacker IRC channels will find you a pointer to a black-market cert that you can have a copy of.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
