[115631] in cryptography@c2.net mail archive
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Feb 22 09:10:38 2008
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: leichter_jerrold@emc.com, thierry.moreau@connotech.com
Cc: cryptography@metzdowd.com
In-Reply-To: <47B9D6EB.2060400@connotech.com>
Date: Fri, 22 Feb 2008 14:39:02 +1300
Thierry Moreau <thierry.moreau@connotech.com> writes:
>At first, it seems neat. But then, looking at how it works in practice: the
>client receives an e-mail notification soliciting him to click on a HTML link
>and then enroll for a security certificate, the client is solicited exactly
>like a phishing criminal would do,
Correction, "exactly like phishing criminals are actively doing right now"
(hat tip to Don Jackson of SecureWorks who's investigated and documented this
practice). Given the almost complete failure of client certs in the
marketplace, I found it most amusing that the current active users of "client
certs" are phishers. It reminded me of spammers and SPF.
> Title: Sender driven certification enrollment system
> Document Type and Number: United States Patent 6651166
> Link to this page: http://www.freepatentsonline.com/6651166.html
>
> Filing Date: 04/09/1998
> Publication Date: 11/18/2003
Thus postdating Microsoft's CertEnroll/Certenr3/Xenroll ActiveX control by
several years. The only difference here is that the user generates the cert
directly rather than involving a CA.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
