Gervase Markham wrote:
Ian G wrote:
Given, c) it is apparently easily bypassed for SSL
phishing (c.f., Shmoo), I would say that the padlock
only represents your "low assurance" grade.
Do not use the Shmoo Group IDN exploit as an example of "being easily
bypassed". The community has reacted very strongly to this problem for a
reason; I don't think you will see many IDN exploits in the future,
because the browsers are going to lock things down on a per-TLD basis so
each TLD has to convince them (or a trusted third party, perhaps) that
they have sufficient anti-homograph policies in place.
Yes, that may lock down the homograph thing, but it
does nothing to address the wider class of attacks.
I'm confused by one thing. Why is it that the Shmoo
IDN bypassing was so strongly reacted to, when the
whole phishing thing has been going on for years now,
and has not received even a tenth as much recognition
as Shmoo achieved in a weekend?
AFAICS, Shmoo was just a small example of the class
of domain spoofing attacks.
(So, when I say "Shmoo" I mean ... that class of
attacks, which remains easy and unaddressed. Shmoo
just happens to be a label that we know of as the
most clear expression of the class of attacks.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
