Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Stefan Paletta <stefanp@xxxxxxxxxx>
Date: Thu, 17 Feb 2005 01:40:53 +0100
In-reply-to: <005a01c513b0$7d85cde0$0a01a8c0@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <14379.1108161895@xxxxxxxxxxxxxxxxx> <MDEHLPKNGKAHNMBLJOLKEEOFBLAB.davids@xxxxxxxxxxxxx> <20050215081234.GD56768@xxxxxxxxx> <001e01c5139f$2f48b8b0$0a01a8c0@xxxxxxxxxxxxxx> <421268A0.9020607@xxxxxxxxxxxxxxxx> <005a01c513b0$7d85cde0$0a01a8c0@xxxxxxxxxxxxxx>
Reply-to: Stefan Paletta <stefanp-exp-1109205653.0742cc@xxxxxxxxxx>
User-agent: Mutt/1.5.6i

Thor (Hammer of God) wrote/schrieb/scripsit:

When I got my NIC handle untold years ago, only 561 other humans had one.Your logic would preclude getting one in the first place, since no one knewthey existed at the time. When SSL certs were first being createdcommercially, how many server operators did you know that had one? Howmany do you know now? It's the same thing with client certs, and the logicstands that certificate applications apply to them as well; particularly inregard to the business and marketing models various certificate authoritiesare running their business by. That was the point.

Just like a NIC handle, a client certificate has no intrinsic value.People get a NIC handle to use it in a specific process. Just like NIChandles don't (anymore) work cross-registry, people will have to getspecific certificates to use in specific processes. It is only thenthat certificates, being a complex technology, actually work when theyare dumbed down and sealed off sufficiently.Server certificates are a slightly different thing, as their number is afew magnitudes lower than the number of client certificates. It is onlyeconomically viable to distribute knowledge if the number of ignorantpeople is low enough.


-Stefan
--
junior guru   SP666-RIPE     JID:stefanp@xxxxxxxxxxxxxxxx    SMP@IRC

References:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Neil W Rickert
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: David Schwartz
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Vincent Archer
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Thor (Hammer of God)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: bkfsec
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Thor (Hammer of God)

Prev by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by Date: RE: BrightStor ARCserve Backup buffer overflow PoC (fix available)
Previous by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread