Gervase Markham: > Nelson Bolyard wrote: >> If you haven't already done so, read Dan Kaminsky's slides from his >> talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt >> >> After he presents the DNS attack, he talks about SSL, certs, and what >> browsers must do to get read security against DNS attacks from SSL and >> certs. >> >> If you don't have time to read all 107 slides (:-), at least read >> slides 63-69, especially 73-79, and 87-89. 61 is important too. >> >> Major takeaways: >> 1) DV certs' authenticity assurances are worthless in the face DNS attacks >> 2) Browsers don't yet create adequate distinction between EV and DV certs. >> 3) DV server sites have the same power with a user's browser as EV sites. > > 4) The fact of 1), combined with the fact that we backed down on making > sites have to be EV-only (which Opera tried, but other brower vendors > decided not to do) means that EV protection could have been compromised. > And further vulnerabilities of this sort would reopen the same hole. > > In other words, the security of EV currently depends on the security of > the DNS. This is bad. > > Gerv
Well, I don't agree with the statements above. It really depends what kind of DNS attack it is and how prepared the CA is and what the CA does about it. Besides that, I don't understand where the weakness should be - DV certs are all about protecting against DNS spoofing attacks... Number 2 I don't understand either...what other distinction should be made between EV and DV certs? And which powers do sites have anyway with a browser? Does a secured site have more "powers" over the browser than a site over plain text? What's this crap..? And at last, how does EV depend on the security of DNS servers exactly? Certificates PROTECT against weaknesses of DNS servers and other possible failures, validated certificates even more. They don't depend on it... With all due respect to Dan Kaminsky, but I think he's missing a few points here...or merely grabbing for headlines. There is nothing in his slide show which I didn't knew either nor which isn't common knowledge for quite some time - at least in our industry. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
