> Ian Grigg wrote: > >> I'd also like to suggest that the first CA to >> be reviewed be VeriSign. I believe there are >> specific difficulties with VeriSign operating >> as a CA, as outlined in [1]. In brief, this >> company also operates a "compliance service" to >> ISPs and the like for the purposes of facilitating >> intercepts or eavesdrops on customers. > > Ok, after reading a couple of your posts about the potential for > Verisign to become the cause of MITM attacks with respect to it's other > business ventures (or any CA for that matter) it seems to me the > simplest way to over come this (even if issued from the same CA!) is to > do what you've already stated in the past (and what SSH does in this > instance). > > First time a user hits a website store the fingerprint in a database > (obviously this isn't 100% if the site is already being attacked via > MITM), then popup warning messages if this ever changes.
Yes, something like that. There are many good ideas out there, like the petnames, the logos, the branding and counts. Popups would certainly work, although they only flag changes in known sites, whereas the larger threat is phishing, which is a spoofed site (so can only be shown in the absence). Either way, there is lots of good experimentation to be done. Firefox has this coloured URL bar which is a good idea, although adding the padlock in there doesn't work, or at least cannot be relied upon, given the favicon attack. > Now the only problem with this suggestion as far as I know is from the > fact that IIS can't handle a re-issued certificate, you have to generate > a whole new request and so on and so forth, *but* if MS got enough > complaints about this from enough people with enough money I'll bet > they'd have fixes out for it sooner then later. MS will follow on as soon as they work out that they can deal with phishing by adjusting the security model. In practice, someone else has to demonstrate a working verion, then they can lift it. I wouldn't worry about them. > Depending on how much money someone wanted to throw at a wire-tapping > system I guess, you could effectively have a large number of proxies > installed the world over, but equally so if the system admin and the > security community at large got wind of these kinds of practices, those > proxies could get listed in an RBL and filtered out with a RBL filter in > the website. > > At the end of the day I think fingerprint tracking could pro-actively > prevent some of these kinds of threats from CAs. Yes. There was a bit of a wild leap of faith back in the early architecture days, when it was assumed that a trusted third party could be created just by pointing and naming. In business terms, TTPs, (or as we now have them CAs), are a very big expensive endeavour, and nothing is easy about them. A whole lot more can be done by client-based tracking of fingerprints for a whole lot less money. Although, the CA branding is quite powerful (in either Amir/Ahmad's terms or my terms) and it works well when accompanied by client based tracking. I see an enlarged market for them when the security model gets its legs. And given the dramatic collapse in Internet security over 2003/2004, we are going to need them to segment phishing into CA boxes and out of CA boxes so that users and CAs both have something to hold on to. iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
