I am killing the SSL / DNS thread. I am summarizing the responses. If you would like to continue the discussion I suggest the SSL-TALK mailing list. As Dan explained such an attack is indeed possible, but as many others pointed out the attack in it of itself is not against SSL but against the user. It all comes down to how do you known that First National Bank's domain name is firstnational.com and not first.national.com or fbank.com. It may well be that to bank has multiple domain names. Identity binding to domain names or keys is not an easy to solve issue, nor is it a purely technical one. Many people pointed out that certificates are binded to domain names, ergo if you know the domain name you are trying to connect to the certificate cannot be spoofed. It was also pointed out that to obtain a certificate from the top CA's there is a long list of requirements such as showing proof for incorporation. This is actually not as difficult as some of you may think. Residents of Nevada can attest at how easy it is to incorporate. It was also pointed out that you can create your own self-signed certificates and that most browsers will ask the user whether to accept add the new certificate to their configuration. Most users will of curse simply click in all the OK buttons they see. It was suggested that web sites should be advertising their SSL certificate fingerprints (much in the same way as you should advertise your PGP fingerprints) and that users should learn to verify the fingerprint when visiting a web site. Of curse the chances of a large portion of the population learning this are small. -- Elias Levy Security Focus http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:33 PDT