Duane wrote:
Ian G wrote:
Ah, to clarify, I was sort of assuming they
wanted the cert for their website. If they
wanted the cert for email/code signing,
then that won't be so easy.
Actually someone else pointed out an issue with the idea of screen
scraping a website to prove domain control...
"There are usually much more people with content change rights on the
homepage than have administrative privileges on the server. The ability
for adding content to the page (that might be closely monitored by
others) is in no way equivalent to the ability to get an SSL cert for it
(that might get used on a fake host). It would be a really nice
privilege escalation."
Right. That's an insider attack, or as pointed out, a
privilege escalation. But the same applies to domains,
and indeed, any check that can be done can be
subverted by an insider attack.
The strategy is to find multiple checks that are cheap
but have little correlation with each other. It doesn't
matter so much if there is an easy attack on the one,
as long as it is a nuisance to combine it with another.
Also, bear in mind, the more the combined attack
spreads more people, the more this indicates the
site shouldn't be using email-only-authenticated certs.
The intention is to secure a low value cert, not to make
it invulnerable.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
