(I apologize in advance for my long-winded response... If I should take this offline please let me know and I'll happily do so)
Ian G wrote: > We wish! But, no, check it out: > "This holiday season, enable customers to transact > securely online, offline and over mobile devices." > SSL was _purposed_ to protect credit card and other > transactions (these days, primarily online banking). > A CA "Issues SSL Certificates to enable authenticated, > 128-bit SSL encryption that secure e-commerce and > online payments across the internet." > If it was simply to vouch for domain ownership, then > we could do that the way Tucows and other registrars > do it by sending an email. This would be wonderful, > and would save everyone a lot of money and time. > (Which is what CACert is doing! There's no reason > why anyone can't do it on the fly...) > But that's not what CAs were set up for, originally. As I'm sure you're aware, all of the marketing quotes you mention can all occur without SSL certificates. It's the SSL protocol that enables these things to happen (with or without certs). Don't let the marketing hype fool you, the bottom line is the SSL cert vouches for the authenticity of a given key-pair belonging to the same entity that owns the domain. SSL may have been purposed to protect transactions, but again, that's the protocol that provides the protection, not the cert. The cert simply addresses a usability issue of SSL in that implicitly trusting every public key for every SSL service one has to interact with would be burdensome. Better to trust an authority who can say that this public key belongs to this domain, that one belongs to that one etc, then the user can decide if they trust the domain for e-commerce. If we went the Tucows/email route, that would be fine and dandy except that everyone would still have to implicitly trust every public key for every SSL server they want to interact with. They would still have the protection of SSL, but not the ease of use that a public SSL CA brings by binding domain name to public key. > Recall, phishing is an attack against commerce. > SSL was meant to protect commercial activities. > If SSL is not intended to stop things like spoofing > domains (phishing) to the user, what is it for? > If we fix phishing (and fraud in general) by changes > in the domain system, does that mean we can stop using SSL? Maybe my definition of phishing is flawed, but I've always thought of it as an attack against peoples' trust, not an attack against commerce. Commerce is a sub-set of what people put their trust in on the Internet, although I will certainly concede that the vast majority of attacks against peoples' trust on the Internet is commercial in nature. SSL is *not* intended to stop things like phishing, it's intended to protect data en route between two applications. Server certificates *are* intended to stop things like phishing, but that will only work if we eliminate every possible avenue of phishing on servers that don't have an SSL server certificate from a publicly trusted CA (good luck on that one). If we don't, then phishers will just use non-certified avenues of attack. When I said that registrars should disallow certain levels of domain name similarity, I said it in the hopes that we would realize that we're not going to get SSL certs on every site in the world, and that we have to address phishing on non-SSL sites too. Doing it at the registrar level seemed like a logical place to start. > This is really wierd. The SSL CA promises trust. Maybe so, but so does the Nigerian Prince in my Inbox who has a 'trustworthy business deal to propose'. > anybody but the CAs should be responsible for controlling > of potentially fraudulent domain activities? You're kidding yourself if you think CAs are or will be responsible for controlling potentially fraudulent domain activities. It just won't happen. Even if it did, very few people/browsers are checking revocation status of the SSL cert, so it's a moot point until all the browsers of the world are modified to always validate SSL certs and all the users in the world stop entering passwords into non-SSL-enabled sites. > To date, anyone can create any domain. All the domain system > does is create a record for name-IP translation and record who > owns that name. Is that the system you want to change? Absolutely. I want to see the registrar automatically sign up amazon.com to have all of the possible phishing permutations of that domain so that no one can buy one similar enough to result in successful phishing attacks. This can be easily automated, the hard part is coming up with the rules on what is similar enough and what isn't. It would be a societal study to come up with such a rule set, but it's human nature and human society that we're dealing with when it comes to phishing isn't it? -Alex Wight _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
