From: Eugen Leitl (eugen@leitl.org)
Date: Thu Aug 15 2002 - 04:53:15 MDT
On Thu, 15 Aug 2002, Peter Amstutz wrote:
> What this does is it allows one to circumvent the trust network, which in
SSL certs don't have a web of trust in the same way PGP/GPG has. It's a
very stunted tree. If any of you were to look into your browser's
preferences, you should be able to find an item (likely, under privacy &
security) called certificates. There's a number of cert authorities your
browser is being shipped with. That's the only difference between a
roll-your-own cert authority: it doesn't come bundled with the browsers,
and brings up all kind of warning requesters, thus confusing and alarming
the poor little user.
Most cert issuing authorities do not verify the identity of the entity
they issue the cert to. As such, the certification process becomes
completely meaningless. It doesn't matter how strong the strongest link
is, but the weakest link decides the total security.
> conjunction with an attack like DNS hijacking could fool the user into
> thinking they are connected to a certain web site when in fact they have
> been directed to the attacker's site (which could redirect traffic to the
> actual web site for a man-in-the-middle attack.) This doesn't
There's a demo mentioned on bugtraq. It is certainly very possible to
steal a large number of credit card numbers in a very short time that way.
Luckily, Mozilla seems to be too broken to be susceptible.
> fundamentally compromise SSL, only the notion that the only trusted
> persons on the web are the ones who bowed down and paid the mighty
> verisign absurb sums of money for something that took their servers about
> ten seconds to do.
>
> The SSL certificate system is quite a scam, really, given the amount of
Absolutely.
> effort involved in actually creating and signing certificates. $100 for a
> 1-year certificate, $200 for a 2-year certificate? All they did was
Hmm, I thought GeoTrust was rather cheap with $119
http://www.geotrust.com/quickssl/index.htm
you can get it in 10 min, too. Purportedly, I personlly use roll-my-own
certs.
> change the expiration date for god's sake! The only way to justify
> certificates being worth so much is if Verisign were legally liable for
> issuing a bad certificate, because it represents their best efforts at
> verifying your identity. For example, if they issue a certificate to some
> unscrupulus person supplying false credentials, verisign should be sued
> for damages resulting for the misuse of that certificate --- otherwise how
> could they justify charging so much? (Hint, it starts with an M and ends
> in "opoly")
>
> Er, sorry about the rant. Pet peeve there. Anyhow, despite the
> predictions of doom, this isn't a direct vunerability so much as a way of
> increasing the effectiveness of other attacks. It does remove a potential
> layer of protection against spoofing, which is something to be concerned
> about.
Indeedy. About every user who goes to trusted site, sees the right name in
the uri window (the gullible can be suckered by simple misspellings,
paypai, or the recent variant of it) and sees the closed lock symbol
believes herself in safety.
DNS spoofing alone would at the very least bring up scary warning dialog
boxes.
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:08 MST