On 19/2/09 14:30, Jean-Marc Desperrier wrote:
Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n
attack using a *.ijjk.cn certificate.
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
PS : Some of his other remarks about the current state of SSL are
interesting but are not really that much news for everyone on this group
and do not require similar immediate action.
I think actually his presentation is much better than just "old news"
and the results will be news for people on this group.
1. He has clearly laid out the trap of negative versus positive
feedback, and explained why Firefox 3 UI changes make the result less
secure than Ff2.
(This is not to say that the Ff3 UI should never have been done, we
needed the experiment to clarify why that direction was wrong, I for one
could not have said it like that.)
2. Also, he has highlighted the trap of HTTP versus HTTPS. This has
been known as a critical weakness since day 1 of SSL / secure browsing.
It was discovered within months of rollout, and basically ignored
because business overrode the security model. Basically, because it
opens up a systemic attack across and between boundaries, it means that
secure browsing can never be "high security".
Fixing these requires a lot of changes, none of which are possible
without agreement on the basic weaknesses. Which we don't have.
3. And then there is the punycode thing. That's just spice, as far as I
can see.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
