[Dshield] 0wnlng Windows machines

Tomas L. Byrnes tomb at byrneit.net
Tue Feb 27 19:20:51 GMT 2007


I think the greater issue is that people don't really understand how PKI
works.

In a nutshell, what PKI does is say that some certificate that you have
chosen to trust says that the credentials being presented are who they
say they are, that is all. It has all sorts of other bells and whistles
that are, mostly, unused.

Since the Root Certificate Authorities are businesses who are in the
business of selling as many certificates as possible, most of them do a
cursory, at best, verification of the identity of the requester of a
certificate. In addition, they have a limited incentive to keep their
own systems secure (avoid the worst compromises) or ensure that their
internal procedures are valid and followed, while being a very juicy
target.

PKI would have worked/could work much better if it were tied to the
banking system. Banks have very good reasons for verifying the
identities of their customers, and you can always track people back to
their money.

This is the idea behind www.indetrust.com
 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> Valdis.Kletnieks at vt.edu
> Sent: Tuesday, February 27, 2007 6:37 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] 0wnlng Windows machines
> 
> On Tue, 27 Feb 2007 09:25:53 +0100, Tony Earnshaw said:
> > Stasiniewicz, Adam wrote, on 27. feb 2007 02:44:
> > D has signed C certificate certifying that C really is C.  A's 
> > manufacturer
> > > or administrator has included D public certificate in the list of 
> > > trusted CAs.  Now when A connects to B, B has a certificate that 
> > > says it is C, but since it was not signed by D, A knows that it 
> > > might be fake (and the user will get a warning prompt).
> > 
> > Barlaeus doesn't issue self-signed public certificates; we 
> are our own 
> > CA authority and we are our own root authority. We ask 
> people to trust 
> > us as CA authority. There's a great difference between SSH security 
> > and PKI security.
> 
> Of course, the *problem* here is that the PKI doesn't provide 
> any *REAL* security, because any browser out there right now 
> will quite happily close the little padlock saying that you 
> have sucessfully followed the link to 
> https://www.pwned-web.com/cgi-bin/your-phish-here.php (and 
> *that* attack is much easier to set up than an actual MITM 
> with/without DNS spoofing).
> 
> And no, that recent "improved security" certificate stuff 
> where you'll get a different color padlock if you visit a 
> site that's had more money extorted from them won't actually 
> fix the problem.
> 



More information about the list mailing list