<<< Date Index >>>     <<< Thread Index >>>

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.



Vincent Archer wrote:

On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
        I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.

Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?

Nothing. Except issuing a couple of "oops" certificate revocations.

I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.


I, too, would be interested in some kind of "lessons learned"-document, describing why this could happen at all - and how Verisign wanted to avoid it in the future.

It's really a pitty that the root-CAs in browsers haven't been subject to more public scrutiny - now and back then.




cheers,
Rainer

--
===================================================
~     Rainer Duffner - rainer@xxxxxxxxxxxxxxx     ~
~           Freising - Munich - Germany           ~
~    Unix - Linux - BSD - OpenSource - Security   ~
~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
===================================================