On 01/03/2009 10:03 PM, Ben Bucksch:
On 03.01.2009 20:01, Eddy Nigg wrote:
the other layers of defense
Please don't call the blacklist a real "layer of defense". If he didn't
try to get a cert for paypal.com, it would have worked. All layers
failed. Please be honest enough to yourself to admit that, so that you
can try to find new layers or checks.
How can you say that? First of all it was a certificate for verisign and
not paypal, even though he could have tried it too (and failed). Neither
it's a black-list per se, but a quite intelligent flagging and review
system. It's one of the layers of defense...
...if you remember the phishing attempt made on some small American
financial institute with a cert from GeoTrust. Our flagging system was
greatly improved as a direct result from what we learned from that
event. That is, not only defense from a bug, but also from attempts
similar to the one just mentioned. It includes of course high-profile
targets but not only.
The only alternative would be manual verification of each and every
certificate, which in my opinion isn't very efficient for domain validation.
But for comparison, where was the layer of defense at the other recent
event? A black-list could have prevented that, don't you think?
FWIW, I think it's a bit overreaction to immediately revoke *all* his
certs.
Well, those were exactly two. It was the correct response.
The staff has reacted incredible fast and awareness high as well.
Yes, that surprised me, too.
Even during the day, it was fairly fast. But it in the middle of the
night (midnight and later), right? The times were local time (Israel) or
UTC?
Yes, local time.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
