Re: The real problem that https has conspicuously failed to fix
-- On 10 Jun 2003 at 23:26, Anonymous wrote: In short, if Palladium comes with the ability to download site-specific DLLs that can act as NCAs, it should allow for solving the spoofed-site problem once and for all. When you login to paypal or e-gold, you would authenticate yourself using a cert that only those sites could see. This can be done in the framework of standard SSL, but would require a Palladium-aware browser. Well, this would work just great provided the browser was made palladium aware in such a way as to be useful to the user, rather than to verisign. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG VBdyipPLv5JzjJ0eIFxxeMDsO30Us9Mvs7lmm2ka 4R5+YjVhKptjgGIVZsjTfX5nDogjTf2G8x7fRhKmN - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
Steven M. Bellovin wrote: Let me point folk at http://www.securityfocus.com/news/5654 for a related issue. To put it very briefly, *real* authentication is hard. It may be that real authentication is hard, but the unbelievably sloppy practices of domain name registrars doesn't prove the case. Imagine if property ownership were recorded with the same degree of rigor. I'm sorry, sir, but you don't own your house any more. We received a typewritten letter with your name on it saying you were transferring ownership to ShoppingMall Inc. The demolition teams are moving in, and I'm afraid you'll have to be out by Friday. Domain names are handled carelessly while real estate is not, due to many factors. Probably one of the main ones is the relative immaturity of the domain name system compared to the centuries of experience we have evolving mechanisms to deal with real property. Clearly the registrars are making little or no effort to authenticate domain name transfers at present. At one time you could specify that only messages signed with a given PGP key would authorize a transfer, but that precaution has apparently disappeared, no doubt due to lack of interest and the costs of support. Maybe this could be something that a registrar could use to differentiate itself from the many otherwise-identical competitors in the market: we won't let your domain names get stolen. What a novel concept. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
Matt Crawford [EMAIL PROTECTED] writes: ... Netscrape ind Internet Exploder each have a hack for honoring the same cert for multiple server names. Opera seems to honor at least one of the two hacks, and a cert can incorporate both at once. /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov /CN=bravo.fnal.gov/CN=charlie.fnal.gov Just to clarify this, so you need a multivalued CN, with one containing the expression (a|b|c) and the remaining containing each of a, b, and c? Is it multiple AVAs in an RDN, or multiple RDNs? (Either of these could be hard to generate with a lot of software, which can't handle multiple AVAs in an RDN or multiple same-type RDNs). Which hack is for MSIE and which is for Netscape? Each CN is in a single-element RDN as usual. Netscape honors only the first CN in the SubjectDN, but will treat it as a restricted regex (shell-like * wildcard, alternation and grouping). IE checks the server name against each CN's individually. This was mainly determined by experimentation. I think we did find a limit on how long that first regex could be, but I don't remember what it was. Longer than my example, but short enough that some of our bigger virtual-hosting servers were inconvenienced by it. Openssl has no qualms about multiple same-type components. You just have to use the somewhat documented 0.commonName = ... 1.commonName = ... 2.commonName = ... in the configuration file. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The real problem that https has conspicuously failed to fix
At 08:20 PM 6/11/2003 -0700, James A. Donald wrote: I think you have put your finger right on the problem. Certificates, https, and the entire PKI structure were designed for an accountless world, but the problem is accounts. or slightly more accurately doing authentication for accounts. the other is frequently confusing identification with authentication. the internet registries (both domain and ip-address) haven't been doing authentication ... but just some simple identification. there are situations where identification may quite orthogonal to whether or not you are the owner of the account in question. also, identification also tends to open up the whole can of worms around protecting privacy. as periodically stated (in reference to x9.59) thick blanket of encryption protecting privacy information is good, the information not being there at all is even better. -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
At 03:38 PM 6/11/03 -0600, Anne Lynn Wheeler wrote: even before e-commerce, the real BBB process was that people called up the BBB and got realtime information i.e. it was an online, realtime process. the equiivalent for an online, internet paradigm (as opposed to something left over from the offline email genre of at least 10--15 years earlier) was that the browswer tab;e pf trusted entities were of online authorities (as opposed to certificate manufacturing) and if you cared, you clicked thru to the BBB and got realtime information about the merchant in question (being equivalent to when people call the BBB to actually get some level of real input as opposed to just a fuzzy comfort fealing). When I buy $20 of gas with non-bearer credentials (ie, credit card), the vendor does a real-time check on me. Seems fair/useful to be able to do same on them. I suppose eBay's feedback suffices... if their last N feedbacks are negative, I might go elsewhere. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 05:47 PM 6/11/03 -0700, Bill Frantz wrote: To try to reflect some of David's points with a real-world situation. I was at work, with a brand new installation of PGP. I wanted to send some confidential data home so I could work with it. However I didn't have my home key at work, so I didn't have a secure way to send either the data, or the work key. I didn't even have the fingerprint of the home key. My solution was to pull Carl Ellison's business card out of my pocket. It had his key fingerprint on it, and I remember getting it directly from him, so I could trust the fingerprint. Now Carl had signed my key, so when I downloaded it from the key server, I could verify that it was indeed mine (to the extent I trusted Carl). Carl's signature, and the key server allowed me to bootstrap trust into my own key. But with a key server, I didn't have to bother Carl to send me my key. Or depend on him being online when I needed it. True, although: 1. you could have had your own key-fingerprint on your own bizcard and done the same. 2. you needn't have had your valid email address there (going back to the spam-thread), perhaps just your regular name. In fact you could have your key on your home server, not in a public server which serves as spambait. Your home server could be unlisted by using an alternate port. (I do this to get around ISP blocking, but then I'm not trying to publish papers on my home server.) Or use CGI, or a password mechanism, to deter spam-spiders. The point with spam and publishing your email address is that its like having a public physical storefront: anyone can pay the price of a cigarette to a stream of homeless people to clog your physical store. Or form a huge line if you have bouncers at the door. That's what having a public interface means. 3. I think you also trusted that Carl has not been compromised and re-signed a bogus key *after* he first signed it. (Not picking on Carl here :-) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
certificates the alternative view
I think you have put your finger right on the problem. Certificates, https, and the entire PKI structure were designed for an accountless world, but the problem is accounts. the other view ... is using a little information theory is that certificates are stale, static, read-only copy of information in the certificate authority's account record targeted for offline environments where the relying party has no access to the real authoritative agency responsible for the information. one of the things from the '90s, in the transition from offline to the start of a pretty much ubiquitous online world was trying to come up with things to put into certificates to justify their price. One of the attempts was extreme overloading of the certificate with large amounts of identity and privacy information, and furthermore you convince the public that they should pay for the privilege of having huge amounts of their privacy information sprayed all over the world. The fallback is to attempt to reduce as much as possible any information of actual value in a certificate and to not go around confusing identification with authentication. This was sort of the relying-party-only certificates from the financial community in the later part of the 90s don't put any information of any value what-so-ever in a certificate; just create these huge, very large bit patterns that were one hundred times larger than a typical payment transaction and require that these extremely large bit patterns had to be attached to every payment transactions sent back to the financial institution (which already had the original copy of all the information). From this is was possible to demonstrate a PKI infrastructure where every certificate was compressed to zero bytes. The horrible payload penalty and information/privacy leakage problem was ultimately addressed with zero byte certificates. They contained zero byte, stale, static, read-only copy of the information in the certificate authority's account record. -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
At 05:34 PM 6/11/2003 -0700, David Honig wrote: When I buy $20 of gas with non-bearer credentials (ie, credit card), the vendor does a real-time check on me. Seems fair/useful to be able to do same on them. I suppose eBay's feedback suffices... if their last N feedbacks are negative, I might go elsewhere. we sort of tried that ... however the financial justification sort of fell apart. the big thing about BBB is being able to trust some merchant that you have absolutely no knowledge about. However, the actual buying patterns are extremely skewed ... with well over 80 percent of the transactions either repeat or with some organization that there is other avenues of trust propagation and involving a very small number of very large merchants. The BBB model tends to work with higher value, infrequent transaction. The remaining online, merchant market segment not covered via other trust processes, tended to represent a small percentage of total transactions, spread over a very large population of very small merchants, and frequently low value. eBay is an attempt to provide an alternative delivery for such market segment and the issue is how does eBay operations break even financially on a BBB like offering. The first filter is to quickly catch major scamming operations ... and differentiate between the one-off transactions. -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
PKI not working
picked up from a ietf pkix mailing list posting: http://www.garlic.com/~lynn/aadsm14.htm#43 http://www.kablenet.com/kd.nsf/Frontpage/2FBC229CDE8C5A1680256D43004176EA?Op enDocument -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
--- James A. Donald [EMAIL PROTECTED] wrote: -- On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote: Let me point folk at http://www.securityfocus.com/news/5654 for a related issue. To put it very briefly, *real* authentication is hard. I don't think so. Verisign's authentication is notoriously worthless and full of holes, yet very few attacks have been based on getting certificates issued to wrong party, or on stealing poorly defended and readily accessible certificates, even though that is quite easy to do. On the whole PKI as used today is fairly useless. I mean just because Company A signed/issued me a key doesn't mean I'm a nice guy nor a legit business. All it means is I paid money to have another company sign my key. What *would* be more useful is a model of web-o-trust. E.g. you make up your own key. Then you import public keys from third-party auditors you trust. Overtime the auditors will visit the business and if they like it they will sign the key. So say you trust auditors A, B and C and I trust auditors B, C and D. Well chances are if company Z is good the will be audited by at least one of the auditors we have in common. Unfortunately there is easy corruption in this model so you would have to keep tabs on your auditor yourself. However, in this model it wouldn't cost money [hey everything net-related should cost money right?] and would actually be meaningful. Tom __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Session Fixation Vulnerability in Web Based Apps
http://www.acros.si/papers/session_fixation.pdf A Jobless Recovery is like a Breadless Sandwich. -- Steve Schear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An attack on paypal
IE checks the server name against each CN's individually. I found that by experimentation too. I have VBScript sample on how to generate such a CSR request for IIS using the CryptoAPI. Furthermore, IE does not care if the CNs have different domains. e.g. /CN=www.domain.com/CN=www.domain.net/CN=www.domain.org -or even- /CN=www.domain.com/CN=www.cypherpunks.com/CN=www.microsoft.com You can self-sign such a cert with OpenSSL just fine. Whether you can get a real CA to sign such a thing is another matter. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]