- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Wed, 11 Jul 2007 21:09:33 -0400
- To: Johnathan Nightingale <johnath@mozilla.com>, Serge Egelman <egelman@cs.cmu.edu>, W3C WSC Public <public-wsc-wg@w3.org>
Sure, that's a valid point. However, your fatal error is assuming that a user is going to read the details of the cert. Hell, if I do not receive a warning related to a certificate, I'm not going to waste time inspecting the details. Do you? Currently, most browsers warn about SSCs. If I'm an attacker and want to use a certificate on my site, I'm going to get a cheap CA-issued one to avoid that warning. I'd rather get it for bankofamerica.phishingsite.com than roll my own for bankofamerica.com because I can be reasonably assured that none of my targets will actually examine the name on it if they don't see a warning message. serge Thomas Roessler wrote: > On 2007-07-09 15:47:55 -0400, Johnathan Nightingale wrote: > >> What would your recommendation be for SS certs? We toyed with >> the idea of saying that an SS cert connection should be quietly >> encrypted, but present no security indicators, since we have no >> reason to trust it. The problem is that this enables the MitM >> scenario nicely. A diligent user is careful never to visit her >> bank except via her trusted https bookmark, or by typing in the >> URL manually. If someone tried to DNS spoof with a straight http >> connection, the attempt would fail, since the https connection >> would fall on the floor. But if SS certs are quietly allowed >> through, the attacker can spin a SS-cert for bankofamerica.com >> and the connection would succeed (albeit without the usual >> context indicators). This is the kind of thing that can't happen >> with a cert issued by a trusted CA, even a $20 one. > > Isn't this a poster child use case for exploiting browser state? > E.g., exploiting the knowledge that a certain domain in connection > with HTTPS used to have a CA-based cert, and warning when that > changes? > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 12 July 2007 01:11:29 UTC