RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

From: David Schwartz (davids_at_webmaster.com)
Date: 02/13/05

Next message: Gandalf The White: "Credit Card Phishing with executable download"

Previous message: GHC_at_www.securityfocus.com, [ru]@securityfocus.com@www.securityfocus.com: "AWStats <= 6.4 Multiple vulnerabilities"
In reply to: Neil W Rickert: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Next in thread: Vincent Archer: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Reply: Vincent Archer: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Sat, 12 Feb 2005 16:32:26 -0800

> As a user of a browser I am not a customer of the CA, and it isn't
> evident why the CA should be under any obligation to me. They surely
> are under an obligation to their shareholders and their customers.

Nonsense. The CA is asking for your trust and can only earn revenue based
upon the number of people who trust it.

This is like asking why Burger King shouldn't just use sawdust instead of
beef if they can get away with it. The answer is that people will find out,
and they'll stop trusting Burger King.

> > Isn't this the entire reason for browsers coming with a
> >small list of CAs which are deemed trustworthy?
>
> Perhaps I am too cynical. But I always thought they were there to
> advance the business interests of the CAs.

No. The browser companies don't care much about the CAs. They're to advance
the business interests of the browser authors/vendors. And if the browser
authors/vendors include CAs that aren't trustworthy, they'll either lose
business, or create a business oppurtunity for others to lock down their
browsers.

> >If the holders of widely-trusted root certificates can't be trusted to
> >avoid even the most rudimentary deceptions, many of the protections of
> >SSL have only very limited value.
>
> The protections have only very limited value. They are perhaps
> adequate to make MITM attacks unlikely, but they are not capable of
> dealing with the kind of deception being discussed here.

This I do agree with.

> >Perhaps some more care on the part of browser packagers in deciding
> >which CAs have their certificates included by default is the solution.
>
> This would not help much. The existing PKI based system is based on
> an unnatural network of presumed trust.
>
> A better system would allow a certificate to have many co-signers,
> much as PGP keys can be co-signed by many others. In such a system,
> my credit card company could act as CA. I am a customer of my credit
> card company, so this would build on natural trust relations.
> Moreover, my credit card company could act as guarantor for any
> purchases I make at web sites where they have signed the site
> certificate (presuming that I use their credit card). This would
> provide a substantial financial incentive for the credit card
> company, acting as CA, to be wary of possible deceptive practices.

This is not so much a better system as a system with a different objective.
The object of the current PKI/SSL system is to prevent MITM attacks and
ensure that you get to the domain name you entered. It is not intended to
ensure that the end host is trustworthy in any way, just that you got the
end host you wanted.

The reason this particular problem is interesting is because it reflects a
failure of the scheme to do precisely what it was intended to do.

Next message: Gandalf The White: "Credit Card Phishing with executable download"

Previous message: GHC_at_www.securityfocus.com, [ru]@securityfocus.com@www.securityfocus.com: "AWStats <= 6.4 Multiple vulnerabilities"
In reply to: Neil W Rickert: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Next in thread: Vincent Archer: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Reply: Vincent Archer: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: remember okbridge?
... I would never do business with Okbridge nor recommend anyone else ... card company resolved the matter privately with them. ... not out of pocket as my credit card company refunded me for the losses ...
(rec.games.bridge)
Re: Credit Card Overhauls Seem Likely
... borrowings, even when they are incorporated as a small business, yet the ... they changed the law that allowed credit card banks to attach property ... in the first was BECAUSE THEIR MONEY WAS AT RISK WITH NO COLLATERAL! ... you can't pay the tab. ...
(soc.retirement)
Re: OT ~ More Power to the Bureaucrats?
... rather trust business than government. ... In the real world, when one person gets more money, it does not mean that everyone else has less. ... really do think you have to steal from the rich in order for the poor to survive. ... No one forces you to get a credit card. ...
(rec.outdoors.rv-travel)
Re: Credit Card Overhauls Seem Likely
... That's what bankruptcy laws were enacted for, to protect deadbeats ... borrowings, even when they are incorporated as a small business, yet the big ... operate on a credit card and pay a fixed monthly ...
(soc.retirement)
Re: Expense Accounts/Per Diems/Company Credit Cards (WAS: Re: Hows this for an invitation)
... cards to pay business expenses for later reimbursement. ... Business credit cards were a great solution to the demand for travel ... of an employee for credit card fraud. ...
(rec.food.cooking)