Nelson Bolyard wrote: > If you haven't already done so, read Dan Kaminsky's slides from his > talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt > > After he presents the DNS attack, he talks about SSL, certs, and what > browsers must do to get read security against DNS attacks from SSL and > certs. > > If you don't have time to read all 107 slides (:-), at least read > slides 63-69, especially 73-79, and 87-89. 61 is important too. > > Major takeaways: > 1) DV certs' authenticity assurances are worthless in the face DNS attacks > 2) Browsers don't yet create adequate distinction between EV and DV certs. > 3) DV server sites have the same power with a user's browser as EV sites.
4) The fact of 1), combined with the fact that we backed down on making sites have to be EV-only (which Opera tried, but other brower vendors decided not to do) means that EV protection could have been compromised. And further vulnerabilities of this sort would reopen the same hole. In other words, the security of EV currently depends on the security of the DNS. This is bad. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
