Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

To: Vincent Archer <var@xxxxxxxxxxxx>
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Rainer Duffner <rainer@xxxxxxxxxxxxxxx>
Date: Fri, 18 Feb 2005 01:50:06 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050217091248.GE61787@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <4213CA76.40901@xxxxxxxxxxxxxxxx> <MDEHLPKNGKAHNMBLJOLKMEGHBNAB.davids@xxxxxxxxxxxxx> <20050217091248.GE61787@xxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Vincent Archer wrote:

On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:

        I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.


Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
somebody who simply said he was a Microsoft employee, and they didn't
do any check about the identity of the person, what happened?

Nothing. Except issuing a couple of "oops" certificate revocations.

I can't even find a public announce by Verisign stating they would take
actions to correct their own validation procedures and avoid repetition
of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
here hopes they fixed their procedures... but no one even knows.

I, too, would be interested in some kind of "lessons learned"-document,describing why this could happen at all - and how Verisign wanted toavoid it in the future.

It's really a pitty that the root-CAs in browsers haven't been subjectto more public scrutiny - now and back then.





cheers,
Rainer

--
===================================================
~     Rainer Duffner - rainer@xxxxxxxxxxxxxxx     ~
~           Freising - Munich - Germany           ~
~    Unix - Linux - BSD - OpenSource - Security   ~
~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
===================================================

References:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: bkfsec
- RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: David Schwartz
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Vincent Archer

Prev by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by Date: Re: Phishing hole found in IE and OE
Previous by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread