RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

From: David Schwartz (davids_at_webmaster.com)
Date: 02/17/05

  • Next message: Robert Sussland: "Re: SHA-1 broken"
    To: <bkfsec@sdf.lonestar.org>
    Date: Wed, 16 Feb 2005 16:34:27 -0800
    
    

    > >No CA wants to find out what market forces will appear as
    > >soon as they
    > >prove to be untrustworthy. There are already many vehicles for
    > >immediately
    > >deploying blacklists. For example, Symantec could release an
    > >update for any
    > >of their security products that removed a root CA. It wouldn't take more
    > >than a small percent of web users to have a problem with a CA
    > >before people
    > >wouldn't want their certificates to be signed by that CA.

    > Symantec wouldn't do this. The backlash they would recieve from angry
    > users alone would be enough to discourage it, nevermind the potential
    > for legal problems.

            Then somebody else would. Market demand creates solutions. I can't see how
    the legal issues are any different from the ones they face when they label
    software as adware or spyware.

    > Comparing CA accountability to meat sales isn't a valid analogy.
    > Obviously, the CAs don't want to be regulated, but trusting them because
    > of this is a bit like saying that business owners would never short-pay
    > an employee because of fear of what the employees would do.

            No, that's not what I'm saying. I'm saying they might do it, and if they
    do, the mechanisms will appear immediately to fix it.

    > It's also like saying that corporations never form trusts and price fix
    > for fear of the consumer.

            No, they never do so because such strategies only work in very unusual
    circumstances. Nobody can make a person pay more for something than it is
    worth.

    > Obviously, both of these assumptions are wrong and the assumption
    > regarding CAs is also wrong. The fact that it is assumed in the first
    > place is *the problem*.

            I'm not assuming anything, I'm making an argument why it would be
    self-destructive for any CA to adopt such a strategy. That doesn't mean they
    won't do it, people certainly do stupid things when they think they can get
    away with it. But the fact is, CAs can't get away with it. So if they think
    they can, they will quickly be proven wrong.

    > Also, the fact that the CA market is competitive only further muddies
    > the waters. Not all CAs are in the same country and their competition
    > forces them to be price-competitive. This reduces the priority of being
    > responsible. Or, to use your meat analogy, mass-produced meat tends to
    > be of a lower quality than individually produced meat products,
    > particularly in unregulated countries.

            I could not disagree more. All a CA has to sell is its trust. The trust is
    its product. CAs sell trust, they are in the trust business. If a CA loses
    the trust of browser vendors, it has nothing to sell. If a CA loses the
    trust of users, pressure will be put on browser vendors.

    > People who think that the market will inherently protect them have been
    > reading too much Ayn Rand and need to step away from the
    > fiction-proposed-as-fact isle. No offense meant by that - it's said
    > tongue-in-cheek. :)

            Except that it does. Especially when all a company has to sell is its
    trust. This is true in many markets where companies have specifically set up
    to sell trust. You don't see people bribing the MPAA or Consumer Reports.
    Because such things could not possibly be hidden, and there's an immediate
    market remedy (stop trusting).

            DS


  • Next message: Robert Sussland: "Re: SHA-1 broken"