Re: [Full-Disclosure] MSN Webcam / Chat Spoof

Valdis.Kletnieks_at_vt.edu
Date: 05/12/03

  • Next message: Vision Through Sound: "[Full-Disclosure] Paper: Spamdoors" 
    To: "Richard M. Smith" <rms@computerbytesman.com>
Date: Mon, 12 May 2003 13:33:58 -0400

    On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith" <rms@computerbytesman.com> said:

    > My question: Why can't an Authenticode certificate present the
    > following information to a user:
    >
    > - Company name
    > - Street address
    > - Phone number
    > - Web site URL
    > - Contact Email address
    > - Company logo
    > - Link to a product description page

    OK.. .So you get a cert - now other than "phone number", is there anything
    there that *really* increases your confidence level (given that you have
    2 http:// and a mailto: URL, and they could all point at a hijacked server)?

    Remember that there has already been one well-publicized case of Verisign
    issuing a bogus Microsoft cert - there's no proof they haven't made the
    same social-engineering whoops on possibly *dozens* of lesser-known software
    houses.

    And after the dot-bombed era, there's probably a *lot* of places that had
    certs and went belly up - and said certs went out the door when the servers
    they were on got surplused. I'm sure snooping around the right hacker
    IRC channels will find you a pointer to a black-market cert that you can have
    a copy of....

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Vision Through Sound: "[Full-Disclosure] Paper: Spamdoors"
    Loading