If you haven't already done so, read Dan Kaminsky's slides from his talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt
After he presents the DNS attack, he talks about SSL, certs, and what browsers must do to get read security against DNS attacks from SSL and certs. If you don't have time to read all 107 slides (:-), at least read slides 63-69, especially 73-79, and 87-89. 61 is important too. Major takeaways: 1) DV certs' authenticity assurances are worthless in the face DNS attacks 2) Browsers don't yet create adequate distinction between EV and DV certs. DV server sites have the same power with a user's browser as EV sites. Also interesting: Results attributed to Consumer Reports, showing that the number of people who ignore bad cert warnings is about equal to the number who abandon attempts to visit sites because of them. ~42% +/-1% each! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
