[cap-talk] Firefox and identifiability, small steps or large

Ian G iang at systemics.com
Sat Feb 12 16:17:52 EST 2005 

Ka-Ping Yee wrote:

>On Wed, 9 Feb 2005, Ian G wrote:
>  
>
>>Ka-Ping Yee wrote:
>>    
>>
>>>On the other hand, you have the logos in the TrustBar.  The logos are
>>>easier to see, but they are also fully spoofable unless you have
>>>memorized the list of CAs, and even then you are out of luck if the
>>>site you're visiting isn't among them.
>>>      
>>>
>>No, the logos of the CAs can resist spoofing because
>>they can be signed by the CA and/or delivered
>>with the root list or the TrustBar.  There's only
>>a hundred or so.
>>    
>>
>
>Unless the user has memorized the list of CAs, the site logos
>are fully spoofable.  Suppose i start my own CA and call it "VeriTrust".
>I make a website for VeriTrust with an official-looking logo on it and
>make myself a self-signed key.
>  
>

Then the user says, "whoa!  That's different,
better take care..."  She sees an unknown CA
logo and decides that she has to do some more
due diligence.

Also, I envisage the CA logos to be delivered
with the application, so they are in centralised
space, and signed by the CA's cert.  These
logos are not so easily spoofed because they
are "part" of the root list.

(TrustBar delivers with VeriSign's logo and
will in due course add others.)


>Then i sign PayPal's logo with my VeriTrust key and i can spoof away!
>What is the user supposed to do when they get phished?  They see
>PayPal's logo signed by a CA called "VeriTrust".  How do they know
>they can trust VeriTrust?  They have no way to make that judgement,
>unless they memorized the list of CAs in advance.  I would bet that
>90% of the users who would have fallen victim to a phish with today's
>browsers would fall for the phish signed by VeriTrust.
>  
>

In today's world, they by definition trust all
CAs in the root list.  In a CA branding world,
they don't.  It's up to them to trust each and
every one a-fresh, a-new.  It's pretty easy to
do because there are only a half dozen they
will come across in the first month.


>There are probably over 100 entries in Internet Explorer's trusted
>root list.  Here are a few:
>
>    EUNet International Root CA
>    IPS SERVIDORES
>    NetLock Kozjegyzoi (Class A) Tanusitvanykiado
>    NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
>
>I don't know "NetLock Kozjegyzoi Tanusitvanykiado" from a hole in the
>wall.  How am i supposed to know that NetLock Kozjegyzoi Tanusitvanykiado
>is good and "VeriTrust" isn't?  Why should i even be expected to trust
>NetLock Kozjegyzoi Tanusitvanykiado in the first place?
>  
>

Excellent.  Take care with that one!  Do some
careful checking.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the cap-talk mailing list