On 03.01.2009 07:18, Eddy Nigg wrote:
The validations wizard allows for a selection of a few possible email
addresses considered for administrative purpose or as listed in the
whois records of the domain name. The flaw was, that insufficient
verification of the response at the server side was performed,
allowing him to validate the domain by using a different email address
than the validations wizard actually provided.
Ah, I see.
(no information follows, just opinion)
Yes, that is (just?) a bug. It does mean that a developer didn't think
correctly - it's a general rule in security to validate all input,
distrust all other parties, and this was not done here. I'd check
similar code near there, and the other code of that developer, but IIRC
you wrote that you did that at least to some degree and rectified other
potential problems.
I was already scared that you let the user's browser do the domain
validation, and let the browser report "yes, the verification passed",
or something like that. Yes, that would have been incredibily stupid,
but given what we learned recently about some other CAs... This bug is
not too far from that, but at least not that obviously stupid, it can
really have been just an oversight of the developer in question, and his
reviewer.
Ben
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
