Ian Grigg wrote:
I'd also like to suggest that the first CA to be reviewed be VeriSign. I believe there are specific difficulties with VeriSign operating as a CA, as outlined in [1]. In brief, this company also operates a "compliance service" to ISPs and the like for the purposes of facilitating intercepts or eavesdrops on customers.
Ok, after reading a couple of your posts about the potential for Verisign to become the cause of MITM attacks with respect to it's other business ventures (or any CA for that matter) it seems to me the simplest way to over come this (even if issued from the same CA!) is to do what you've already stated in the past (and what SSH does in this instance).
First time a user hits a website store the fingerprint in a database (obviously this isn't 100% if the site is already being attacked via MITM), then popup warning messages if this ever changes.
Now the only problem with this suggestion as far as I know is from the fact that IIS can't handle a re-issued certificate, you have to generate a whole new request and so on and so forth, *but* if MS got enough complaints about this from enough people with enough money I'll bet they'd have fixes out for it sooner then later.
Now to have a message popup in your face is enough to scare off most naive users into entering any sensitive information or continuing with the connection, alternatively if a large number of connections start being intercepted it would also become obvious in website statistics that most/all connections were coming from a small number of IPs.
Depending on how much money someone wanted to throw at a wire-tapping system I guess, you could effectively have a large number of proxies installed the world over, but equally so if the system admin and the security community at large got wind of these kinds of practices, those proxies could get listed in an RBL and filtered out with a RBL filter in the website.
At the end of the day I think fingerprint tracking could pro-actively prevent some of these kinds of threats from CAs.
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"I do not try to dance better than anyone else.
I only try to dance better than myself."
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
