On 4/01/2015 3:42 pm, Jesse B. Crawford wrote: > What I mean is that the situations where DNS is compromised (malicious > DNS server, malicious local network operator, malicious third party > pulling a trick on the local network, etc...), while completely possible > and important to protect against, are far less common out there in the > wild than phishers using similar-but-wrong domains (we've probably all > seen a usbank.com.abunchofhexcharacters.numbers.cz before). > > I realized that I missed something earlier. When I refer to SSL > certificates fixing this problem, I am referring to extended validation > (EV) certificates that validate legal entity, not to the various cheaper > certificates that only validate domain.
EV certificates don't fix any problem. The validation of a 'legal entity' is purely due to an agreed policy. A rogue, compromised, or alternate CA could release certificates with EV fields that don't 'rigorously' validate the organisation that applies for the certificate. > EV certificates tie a service to a real-world entity, typically by the > CA validating organizational documents (articles of incorporation, > charter, etc) and validating that the person who submitted the request > is an authorized agent of the organization. The certificates then > include as part of the principal not only the domain name of the host > but also the legal name of the operator. Which contradicts with the point of hidden services in the first place, that neither party knows the others identity [1]. [1] https://www.torproject.org/docs/hidden-services.html.en -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
