[13628] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sat Jun 14 10:54:53 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 13 Jun 2003 16:32:12 -0700
To: <cryptography@metzdowd.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <3.0.5.32.20030611142439.00870580@pop.west.cox.net>
At 02:24 PM 06/11/2003 -0700, David Honig wrote:
>At 12:42 PM 6/11/03 -0600, Anne & Lynn Wheeler wrote:
> >actually, if you had a properly secured DNS .... then you could trust DNS
> >to distribute public keys bound to a domain name in the same way they
> >distribute ip-addresses bound to a domain name.
>...
>Adding PKeys to Yellow Pages merely lets you get scammed *confidentially*.
Unfortunately, that doesn't help you against wetware attacks -
the "paypa1.com" and "e-g0ld.com" web sites can have valid certs,
and your browser is unlikely to notice that they're different
from the certs at the sites "paypal.com" and "e-gold.com"
because they've got different domain names.
So it won't notice that the certs have changed, because they haven't,
they're just the new certs for the new websites.
And client-side certs won't help, because the bogus sites
can happily accept them or ignore them.
An e-gold-specific or paypal-specific client can tell,
because it can remember that it's trying to see the real thing,
but the browser can't tell, except by bugging you about
"Hi, this is a new site that's giving us a new cert" placebo box.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
