[13611] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (James A. Donald)
Thu Jun 12 17:54:24 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
Date: Thu, 12 Jun 2003 14:36:04 -0700
In-reply-to: <20030612000715.C227C7B4D@berkshire.research.att.com>
--
On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
> Let me point folk at http://www.securityfocus.com/news/5654
> for a related issue. To put it very briefly, *real*
> authentication is hard.
I don't think so.
Verisign's authentication is notoriously worthless and full of
holes, yet very few attacks have been based on getting
certificates issued to wrong party, or on stealing poorly
defended and readily accessible certificates, even though that
is quite easy to do.
One of the scams described in the paper you cite was the old
"www.e-go1d.com" scam, but done using paper, rather than the
internet -- the scammers registered a company name similar that
of a target company owning a large block of IP addresses, and
printed letter head paper similar to that of the other company.
The problem was not that authentication was hard. Passwords
would have sufficed. Self signed public keys would have
worked even better.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
NoFj3E7m34BUCZIG2feG13OK1W+zx+gF7GsDX+Fm
40IAMrSyeCwPFMzRybwYkgWLZ2JE97Ao595KgemVp
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
