Ian G wrote: > I do the natty DNS poisoning trick that Nelson spoke > of. I create a key and I send it to the CA. Then the > CA sends back an encrypted email to that key, I > decrypt it, and follow the instructions...
If I'm not mistaken this is the original snake oil that was pushed, and the only long term problem, is with email addresses/code signing as you pointed out Ian because it's the path less trodden. People usually notice websites acting strangely (shortly there after complain about it) and not being what it appears to be, and while the dns may be poisoned for a small section of the internet this won't be the sum total of it and there is numerous simple ways of over coming it. Namely probing name servers in far flung locations, it might be easy to poison one caching name server or one persons PC, try doing it to 50 or 100 though. High profile sites pay lots of money for this exact service to ensure that major providers aren't involved (directly or indirectly via automated processes) in the distribution of poisoned DNS information, low profile sites being a small target usually have their DNS hi-jacked at the registrar level more often then not, which in this case they have bigger issues then someone getting false certs issued. The only issue with Ian's suggestion about probing a website/screen scraping then is for the domains people only use for email or what not and don't run websites, or run internal sites that are password protected from the outside world... Personally I have a number of domains I bought purely for email reasons, and while it's not impossible to get a temporary site up, will everyone else be in the same boat? What about the cheap email hosting deals but they don't come with a website? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto