<<< Date Index >>>     <<< Thread Index >>>

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.



David Schwartz wrote:

Wow.  You just conceded that there is significant pressure on major
vendors to not counter the CA, and then claimed that some ethereal other
would magically be able to enforce it where Symantec couldn't.

        What?! I did nothing of the sort. My "then" follows his "if". It does 
not
concede that his "if" is true, in fact I think it's preposterous.
Refusing to address a point in an argument and responding with "then someone else would have" is, by definition, conceding the point.

It's not a preposterous point. Why should Symantec use their AV product to police the CA market? How about their other products? It would only happen when it benefits them to do so, and that will only happen if the CAs completely fail to do their duties.

Market demand sometimes does create solutions, however to claim that it
does without fail is a bit naive.

        Didn't say that.
Yes, you did say that. Look back in the thread. You were saying "The market will provide a solution". I said that that was naive. Your retort was "didn't say that".

Are you conceding more points or just ignoring your own arguments?

So, if not Symantec, then who else do you propose would?

        Lavasoft, Computer Associates, Bazooka, Webroot, Zone Labs, and pretty 
much
every other computer security vendor.
The same pressures that affected Symantec would affect them.



History disagrees with you.  So do a number of economists.

        First of all, the unusual circumstances have occured in distorted 
markets.
All markets have the potential to be distorted. And any sober review of any market will find most of these practices in place to one degree or another.

Second, it took awhile for people to learn that these strategies almost
never work and to figure out precisely under what circumstances they do
work.
Sure, they didn't know the best way to cheat people at first. All solutions are better managed after trial and error. The problem with your argument is that there is corruption in the markets, or are you arguing that corruption is dead and all markets fix themselves? That would seem a bit assinine to me. I guess you'll just respond with "I never said that markets correct themselves..." :)


It would harm them, yes, but they very well can get away with it.

        Right, until it harms the users.
Correction: until it materially harms the user enough to address the issue. All decisions have a cost/benefit basis to them.


It's interesting how you cite market dynamics in your arguments, but
disregard them when they aren't favorable to your point.

        How so?
Because you're neglecting to consider important factors in the markets that are affected by this particular bug and, in fact, all CA root cert revocations on the part of browser producers and when I bring them up, you ignore them. Ignoring them makes it appear that you're being selective in your positions.


        Or people set up that CA to a lower level of trust where they know the
certificate has come from a CA they don't fully trust. Or maybe they
download a list of certificates manually from that CA and don't trust
unknown CAs without querying them with a third party. Or maybe, ...

        You can't predict how the market will work.
Of course not - I can only speculate based on factors at work at the time. The same goes for yourself.




        There is a market in keeping users ignorant. So long as things "just 
work"
users can stay ignorant, and I assure you, if CAs create a situation that
doesn't "just work", someone else will work hard to come up with a solution
to keep things that way.
Whoa whoa whoa. We're not talking about CAs creating a situation where things don't "just work". Not in the least.

We're talking about the current IDN "bug" and the CAs dealing with that. Someone else already answered that point by (correctly) stating that it is not the responsibility of the CAs to protect people from things like that.

My point is that even if it were their responsibility, you can't just explicitely trust them to do so. Their accountability in dealing with it is limited because as long as they are providing their service, they won't be harmed.

If that situation became the norm, obviously - over time - that CA would be obsoleted.

However, in the current context we're not talking about the CA system failing.


There are millions of people out there who don't trust the MPAA or the
RIAA, for that matter.  Not having the trust of the people hasn't
stopped them.  Again, you've chosen a very poor example.

        No, the issue (with the MPAA, I'm not sure how the RIAA got into this) 
is
not that people trust or don't trust them, the issue is that all they have
to sell is their trust. For the vast majority of people, trusting the MPAA
has never caused them a problem. So the alternatives to the MPAA only target
very specialized markets.
The average person doesn't have a choice. The MPAA is, effectively, a trust and a control for the movie industry. Looking through my own movie collection, I don't have many movies that aren't associated with the MPAA and I think I'd be hardpressed to find more than five.

The average person doesn't have a trust relationship with the MPAA. It's more of a dictatorial relationship. People buy or go watch movies and, if the product is defective, they return it. There's not much of a trust relationship there to speak of.

Hell, most people don't even trust the MPAA to properly rate movies.



The market does not inherently protect people.  Anyone who believes that
is reality impaired and doesn't have a very good understanding of
history nor economics.

        That's not what I'm saying. I'm saying CAs have a huge interest in 
making
sure their customers don't get harmed by their actions.

        

Yes, they have an interest in providing their services in the way that is economically feasible to achieve their best goals. Obviously, they don't want to see their customers harmed by their actions. However, it's a leap of faith to go from that to "they will provide the best service ever possible".
             -Barry