|
|
BugTraq
New whitepaper "The Phishing Guide" Sep 22 2004 04:38PM Gunter Ollmann (NGS) (gunter ngssoftware com) (1 replies) Re: New whitepaper "The Phishing Guide" Sep 23 2004 02:57PM Aleksandar Milivojevic (amilivojevic pbl ca) (3 replies) Re[2]: New whitepaper "The Phishing Guide" Sep 26 2004 02:35PM Karsten Heidrich (karsten heidrich-da de) Re: New whitepaper "The Phishing Guide" Sep 24 2004 06:39PM Daniel Veditz (dveditz cruzio com) (3 replies) Re: New whitepaper "The Phishing Guide" Sep 27 2004 02:26PM Chip Andrews (chip sqlsecurity com) (1 replies) Re: New whitepaper "The Phishing Guide" Sep 23 2004 07:21PM Seth Arnold (sarnold immunix com) (2 replies) Re: New whitepaper "The Phishing Guide" Sep 27 2004 06:05PM Greg A. Woods (woods weird com) (1 replies) Re: New whitepaper "The Phishing Guide" Sep 27 2004 03:39PM Aleksandar Milivojevic (amilivojevic pbl ca) |
|
Privacy Statement |
> How does that help in practice? A user fooled by a link to ebay-support.com
> is just as likely to accept signed mail from foo (at) ebay-support (dot) com. [email concealed] Not to
> mention that the potential profits from phishing could easily finance the
> purchase of a forged cert if someone at one of the built-in CA's was
> corruptible. Given the several that are based in 3rd world companies (not to
> mention recent US corporate scandals) I have no confidence that won't
> eventually happen.
it is quite possible, I had success of convincing U.S. CAs of issuing me
a certificate, while they shouldn't. I once wrote an article about it to
2600.
Seems like most CAs are more capable of selling certificates than
providing real security checks, which are usually done by using that
same insecure channels, that they are trying to protect.
For example:
- a fax of business license (which for example in our country can be
get by anyone)
- e-mail to one of the administrative contacts from whois database
(which can be -- if not protected -- changed by sending simple
e-mail, if your registrar uses RIPE).
- creating a file on the target webserver (which in turn is capable of
all those attacks, that SSL is trying to protect).
So basically, "hacking" CA is just paperwork, e-mail and browserwork.
You can read the article here:
http://files.juraj.bednar.sk/CA
(I'm not sure, if it's the latest version, that got published, so please
forbid any small mistakes, but you will get the point, hopefully).
I believe there are CAs, that are more secure even for e-mail. Here in
Slovakia, we have even law about electronic signatures, and you have to
go physically to CA, show your ID, passport and after you convince them,
you are the right person, they issue you a certificate (which is equal
to signature on paper). One particular issue is, that they guarantee
also your identity (not only the ability to read particular e-mail,
which often is checked by so-called CAs by sending e-mail to the target
address and user has to check the link, which does not guarantee
anything, but the ability to read the particular e-mail -- which we want
to protect from unauthorized users, right?).
Juraj.
[ reply ]