[19305] in cryptography@c2.net mail archive
Re: browser vendors and CAs agreeing on high-assurance certificates
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Dec 18 14:38:36 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 18 Dec 2005 14:09:05 -0500
From: Adam Shostack <adam@homeport.org>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com,
"Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <43A53492.24055.6F961CC@localhost>
Higher assurance means that when the CA gets duped, it's even better
for the phishers, because that nice, reassuring green bar will be
there.
To preserve the internet channel as a means of communicating with
customers, we need to move to bookmarks, not email with clickable
URLs. That method is a black hole.
(I've blogged somewhat verbosely about this too, if anyone cares:
http://www.emergentchaos.com/archives/002104.html
http://www.emergentchaos.com/archives/002060.html
On Sun, Dec 18, 2005 at 10:06:10AM -0800, James A. Donald wrote:
| --
| From: "Steven M. Bellovin"
| <smb@cs.columbia.edu>
| > The very first phishing attack I ever heard of was for
| > paypa1.com. As I recall, they did have a certificate.
|
| And would they not have had a high assurance
| certificate, since presumably they really were
| papypa1.com?
|
| Even if the vendors do implement a policy that all new
| urls must be significantly different from known high
| value urls, which is not their stated policy, this is
| not going to help much with such high value urls as:
| "https://lb22.resources.hewitt.com"
|
| Proving true names is not much help, because there are
| too many names.
|
| --digsig
| James A. Donald
| 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
| CS4AkcyJ2ZhuZtOouD5yH0AnqodmyrqySuYZgRXQ
| 4Y1XkuPvMRrV9M2owdKcEoRRGZzIuxUqEcgxLcPX7
|
|
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com