Taral wrote:
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
Want to protect your Mozilla/FireFox from such attacks? Install our
TrustBar: http://TrustBar.Mozdev.org
(this was the first time that I had a real reason to click the `I don't
trust this authority` button...)
Opinions?
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
One member of this mailing list, in a private exchange, noted that
he had asked his bank for their certificate's fingerprint. My
response was that I was astonished he found someone who knew what
he was talking about.
Steven M. Bellovin [EMAIL PROTECTED] writes:
Is a private root key (or the equivalent signing device) an asset that can be
acquired under bankruptcy proceedings? Almost certainly.
Absolutely certainly. Even before Baltimore, CA's private keys had been
bought and sold from/to third parties,
Steven M. Bellovin wrote:
Unusual CA? I'm not sure what a *usual* CA is.
Just for fun, I opened up the CA list that came with my copy of
Firefox. There are no fewer than 40 different entities listed, many of
whom have more than one certificate. I personally know less than half
of them to be
On Wed, Feb 09, 2005 at 09:08:45PM +, Ian G wrote:
The plugin is downloadable from a MozDev site,
and presumably if enough attention warrants it,
Amir can go to the extent of signing it with a
cert in Mozilla's code signing regime.
That only authenticates that Amir wrote the code, not
Taral wrote:
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
Want to protect your Mozilla/FireFox from such attacks? Install our
TrustBar: http://TrustBar.Mozdev.org
(this was the first time that I had a real reason to click the `I don't
trust this authority` button...)
Opinions?
Steve, my point was not the trivial fact that TrustBar would not display
the homograph; suppose it did... even then, the user is _asked_ about
the certificate, since it was signed by an unusual CA that the user did
not specify as `to be trusted always`; this should certainly be a good
warning
Taral wrote:
On Wed, Feb 09, 2005 at 09:08:45PM +, Ian G wrote:
The plugin is downloadable from a MozDev site,
and presumably if enough attention warrants it,
Amir can go to the extent of signing it with a
cert in Mozilla's code signing regime.
This, of course, is up to Mozilla, not to me...
In message [EMAIL PROTECTED], Amir Herzberg writes:
Steve, my point was not the trivial fact that TrustBar would not display
the homograph; suppose it did... even then, the user is _asked_ about
the certificate, since it was signed by an unusual CA that the user did
not specify as `to be
How can Trustbar help me if the site in question is not even SSL
based. Homograph based attacks are imo a different class of its own.
SK
On Wed, 09 Feb 2005 19:41:36 +0200, Amir Herzberg
[EMAIL PROTECTED] wrote:
Want to see a simple, working method to spoof sites, fooling
Mozilla/FireFox/...
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
| Want to see a simple, working method to spoof sites, fooling
| Mozilla/FireFox/... , even with an SSL certificate and `lock`?
|
| http://www.shmoo.com/idn/
|
| See also:
|
|
In message [EMAIL PROTECTED], Amir Herzberg writes:
Want to see a simple, working method to spoof sites, fooling
Mozilla/FireFox/... , even with an SSL certificate and `lock`?
http://www.shmoo.com/idn/
See also:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3866526512
Want to protect
Adam Shostack wrote:
Have you run end-user testing to demonstrate the user-acceptability of
Trustbar?
Yes, this was asked over on the cap-talk list.
Below is what I posted there. I'm somewhat
sympathetic as doing a real field trial which
involves testing real responses to a browser
attack
Taral wrote:
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
Why should I trust you? Filtering xn--* domains works for me, and
doesn't require that I turn my browser over to unreviewed, possibly
buggy code.
I understand this is a theoretical question, but
here is an answer:
On Wed, Feb 09, 2005 at 07:22:05PM +, Ian G wrote:
| Adam Shostack wrote:
|
| Have you run end-user testing to demonstrate the user-acceptability of
| Trustbar?
|
|
|
| Yes, this was asked over on the cap-talk list.
| Below is what I posted there. I'm somewhat
| sympathetic as doing a
15 matches
Mail list logo
