On 1/19/12 at 15:36, [email protected] (Paul Hoffman) wrote:
The charter for this list says: "A number of people are
interested in discussing proposals that have been developed in
response to recent attacks on the Internet security
infrastructure, in particular those that affected sites using
TLS and other protocols relying on PKI."
Which attacks are we interested in?
a) Attackers can get a trusted PKIX certificate due to errors
on the part of some CAs that are trusted by web browsers.
b) Attackers can get a trusted PKIX certificate due to
intentional laxness on the part of some CAs that are trusted by
web browsers.
c) Attackers can issue certificates that cause warnings in web
browsers that are often ignored and clicked through.
The solution to each of these is different.
I would add to this list:
d) Attackers can register a domain name that looks like that of
another domain and entice users into visiting that domain
instead of the intended domain. Unicode, with its many similar
looking glyphs makes this easier, although the I 1 and O 0
similarities in 95 character ASCII have successfully been used
in this kind of attack.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
