Re: Do big parts of security in "mozilla" suck?

Thu, 23 Jul 2009 07:57:48 -0700 

On 07/23/2009 03:34 PM, Martin Paljak:
Right. I'm sure I could make a bunch of people warm and fuzzy by getting some "tankers" for booze money from Moscow, transfer them to some funky ex-USSR country or maybe some tropical island, make them establish "Internet Million Dollar Lottery Inc.", get a www.milliondollarinternetlottery.com website and a nice green EV certificate and ... collect for one year, hope that the "tankists" have already died from too much alcohol and leave to Nigeria. 


This is a common way of fraud/scam/money laundry I believe anywhere in 
the world. The way "tankists" (there is probably a better term in 
English) have been abused is especially common here and in surrounding 
countries where I live (Estonia, one of those ex-USSR). For a couple 
of bottles of vodka or a few hundred euros you can get a bum, shave 
him, wash him, cloth him, take him to the notary and the bank, get all 
documents to run the thing, and voila - done. There have been new 
money-laundry and anti-corruption laws in Estonia/EU but take some 
place like Armenia and you're all set.



What I want to say - if it is the green bar that makes you feel warm 
and safe and this is the "trust and security" we've not really 
achieved anything.





Which however shows that you have no clue whatsoever. The least that can 
be said about EV is that it's not secure. To my knowledge there has to 
be an EV cert issued wrongfully first. For newly established companies 
there are special verification requirements which have to be satisfied.





Security or trust? PGP or the "web of trust" model works because it 
mimics real life social interactions "my friend told me that she ..." 
whereas x509 trees represent the "perfect mass" for whom "this is said 
and thus so it shall be" is a perfectly OK situation. The green thing 
works until a scam like I described will be pulled off and then it 
will be like Verisign and Microsoft case.



Which most likely will not happen. But there is a problem distributing 
trust in a web-of-trust - not that it's impossible - but that's not the 
case with PGP.


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to