|
Posted by Sebastian Gottschalk on August 22, 2006, 4:26 am
If you were Registered and logged in, you could reply and use other advanced thread options
Ludovic Joly wrote:
> Markus Jansson wrote:
>> jois.de.vivre@gmail.com wrote:
>>> I see, so the public key has to be known and trusted beforehand? Does
>>> a browser then keep a list of trusted public keys?
>> Yes. They are in its database when browser is installed to the computer.
>
> This is very convenient, an excellent feature. Anyone with a
> corresponding "trusted" private key and access to the route can perform
> a MITM attack and decrypt and modify the traffic. We reach the point
> where "trusted" has to be taken seriously.
Some commercial operating systems deliver such key stores as well. Hey,
I found something Windows is actually good for. :-)
|
|
Posted by Markus Jansson on August 22, 2006, 3:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Ludovic Joly wrote:
> Anyone with a
> corresponding "trusted" private key and access to the route can perform
> a MITM attack and decrypt and modify the traffic.
Only people who can do that are the ones who HAVE that key, which means
the site owners, which can decrypt the traffic anyway, so...whats your
point?
Ofcourse Verisign could sign bogus key for me for
https://www.hushmail.com but why the heck would they do that? They get
more money on publish valid certs than unvalid. Not to mention that I
can always save hushmail.com cert to my computer and compare it to the
one the "site" is offering me.
--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
|
|
Posted by Sebastian Gottschalk on August 22, 2006, 3:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Ofcourse Verisign could sign bogus key for me for
> https://www.hushmail.com but why the heck would they do that?
Because they're stupid?
Hint: The signed a key of an unknown, who called in by anonymous phone,
a cert on the company name "Microsoft Corporation". Yes, Class 3, which
normally requires a full identity verification process.
> They get more money on publish valid certs than unvalid.
No, they get money for publishing certs. Really doesn't matter if valid
or spoofed.
|
|
Posted by Barry Margolin on August 22, 2006, 4:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Markus Jansson wrote:
>
> > Ofcourse Verisign could sign bogus key for me for
> > https://www.hushmail.com but why the heck would they do that?
>
> Because they're stupid?
>
> Hint: The signed a key of an unknown, who called in by anonymous phone,
> a cert on the company name "Microsoft Corporation". Yes, Class 3, which
> normally requires a full identity verification process.
>
> > They get more money on publish valid certs than unvalid.
>
> No, they get money for publishing certs. Really doesn't matter if valid
> or spoofed.
But their reputation should be based on how well they validate certs
before publishing them. Ideally, browser vendors would not include the
certificates of CAs with bad reputations, and site owners would not
publish their certs through them. And if site owners don't publish
certs through them, they don't get money.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
|
Posted by Sebastian Gottschalk on August 22, 2006, 6:22 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> But their reputation should be based on how well they validate certs
> before publishing them.
Should, should, should...
> Ideally, browser vendors would not include the certificates of CAs with
> bad reputations,
Tell it to the browser vendors. They don't care, because they're getting
paid for including the certs beside better knowledge.
> and site owners would not publish their certs through them.
Tell it to the site owners. They usually only use the certificate to get
the yellow SSL lock without getting any warnings displayed to the user.
And that's why they won't buy any secure certificates from really secure
CAs that are not included in the webbrowser.
Security really doesn't matter.
> And if site owners don't publish certs through them, they don't get money.
As you see, it's a self-supporting model of extortion and
monopolization. Up today, the cut between CAs included in the browser
and secure+trustworthy CAs is empty (or, at best, you might accept the
Staat der Nederlandern Root CA). Particularly due to VeriSign aqquiring
all previously trustworthy CAs and applying their understanding and
practices of "security".
|
| Similar Threads | Posted | | WEP question | August 18, 2004, 6:14 pm |
| * VPN and NAT Question | November 8, 2004, 6:42 pm |
| Log in question | July 22, 2005, 12:38 pm |
| Log in question | July 22, 2005, 12:38 pm |
| Log in question | July 22, 2005, 12:38 pm |
| A question | October 2, 2005, 11:49 pm |
| PKI question | August 1, 2006, 7:50 am |
| Question regarding SSL/TLS | August 22, 2006, 12:23 pm |
| Question regarding SSL/TLS | August 23, 2006, 4:51 am |
| IP number question | January 26, 2005, 1:14 pm |
|
XML site map