On 02/19/2009 03:30 PM, Jean-Marc Desperrier:
Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n
attack using a *.ijjk.cn certificate.
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
.cn is authorized for i18n, and the * will match anything, allowing all
the classic i18n based attacks.
This was striking:
Get a domain-validated SSL wildcard cert for *.ijjk.cn
So what the proper immediate/long term solution ? Disable punycode for
the wildcard part of certificates ?
Disallow domain validated wild card certificates. Make identity
validation a requirement, same as with code signing. It has been said
over and over again, not just by chance.
PS : Some of his other remarks about the current state of SSL are
interesting but are not really that much news for everyone on this group
and do not require similar immediate action.
Nope....but this is another good one:
If we want to avoid the dialogs of death, start with HTTP not HTTPS.
Yeah, why not actually, cause it's easy to fake that blueish icon too...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
