Nelson B Bolyard wrote, On 2008-08-21 10:04: > Gervase Markham wrote, On 2008-08-21 05:09: >> Nelson Bolyard wrote: >>> If you haven't already done so, read Dan Kaminsky's slides from his >>> talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt >>> >>> After he presents the DNS attack, he talks about SSL, certs, and what >>> browsers must do to get read security against DNS attacks from SSL and >>> certs. >>> >>> If you don't have time to read all 107 slides (:-), at least read >>> slides 63-69, especially 73-79, and 87-89. 61 is important too. >>> >>> Major takeaways: >>> 1) DV certs' authenticity assurances are worthless in the face DNS attacks >>> 2) Browsers don't yet create adequate distinction between EV and DV certs. >>> 3) DV server sites have the same power with a user's browser as EV sites. >> 4) The fact of 1), combined with the fact that we backed down on making >> sites have to be EV-only (which Opera tried, but other brower vendors >> decided not to do) means that EV protection could have been compromised. > > I don't follow that. Does "we backed down on making sites have to be > EV-only" mean "we continue to show SSL chrome indicators for DV sites"?
I was informed privately that it means that Firefox shows EV chrome indicators, even for pages that contain some DV content. >> And further vulnerabilities of this sort would reopen the same hole. >> >> In other words, the security of EV currently depends on the security of >> the DNS. This is bad. I agree that DV content in EV pages is just as dubious as any other DV content. I would favor that EV pages must have all EV content to show EV chrome, just as SSL pages must have all SSL content to show (normal) SSL chrome. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
