Re: VeriSign feedback/comments on STS -06

> What I do not get is why this is addressed at the HTTP level. My first
> reaction is that this belongs at either the SSL or DNS layers, not HTTP.
>
> SSL by atting a suitable attribute to certificate.

This would make it difficult to enroll (requiring changing all certs).

> DNS by adding a DNS record stating the site policy, similar to as has
> been done for SMTP and other protocols for similar policy purposes.

This is vulnerable to two attacks:

1) On first visit, active attackers may just hide this from the recipient,

2) Perhaps more importantly, as you note, this is vulnerable to blind,
long-lived DoS if the entry is spoofed and then cached by the browser
when the target site is not, in fact, SSL-enabled.

The first part is true also in the current model, if the user first
navigates to http://, rather than https://; but at least, it gives you
some choice. The second attack is much harder for TCP than it is for
DNS over UDP.

/mz

Received on Monday, 17 May 2010 21:34:44 UTC