[Dshield] 0wnlng Windows machines

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 27 14:37:19 GMT 2007


On Tue, 27 Feb 2007 09:25:53 +0100, Tony Earnshaw said:
> Stasiniewicz, Adam wrote, on 27. feb 2007 02:44:
> D has signed C certificate certifying that C really is C.  A's manufacturer
> > or administrator has included D public certificate in the list of trusted
> > CAs.  Now when A connects to B, B has a certificate that says it is C, but
> > since it was not signed by D, A knows that it might be fake (and the user
> > will get a warning prompt).
> 
> Barlaeus doesn't issue self-signed public certificates; we are our own 
> CA authority and we are our own root authority. We ask people to trust 
> us as CA authority. There's a great difference between SSH security and 
> PKI security.

Of course, the *problem* here is that the PKI doesn't provide any *REAL*
security, because any browser out there right now will quite happily close
the little padlock saying that you have sucessfully followed the link to
https://www.pwned-web.com/cgi-bin/your-phish-here.php (and *that* attack is
much easier to set up than an actual MITM with/without DNS spoofing).

And no, that recent "improved security" certificate stuff where you'll get
a different color padlock if you visit a site that's had more money extorted
from them won't actually fix the problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070227/69df0d30/attachment.bin 


More information about the list mailing list