On Sun, 8 Dec 2013 13:14:44 -0800, Gregory Maxwell wrote: > On Sun, Dec 8, 2013 at 1:07 PM, Drak <d...@zikula.org> wrote: >> Simple verification relies on being able to answer the email sent to >> the >> person in the whois records, or standard admin/webmaster@ addresses >> to prove >> ownership of the domain > > Godaddy and many other CA's are verified from nothing other than a > http fetch, no email involved.
It's just as easy to steal emails via a BGP or DNS redirect anyway.. you could even take over the actual domain at the registry level by stealing a password reset via BGP or DNS redirect and actually many registries will hand over control of a domain by faxing them a forged driving license in the owner's name anyway so it doesn't even really need to be a particularly sophisticated attacker. Once you have registry control of the domain it's easy enough to get an SSL cert too, probably even an 'extended validation' one. When Afghanistan was taken over the entire .af TLD was probably transferred using a forged fax to ICANN (http://web.archive.org/web/20041017031020/http://www.iana.org/cctld/af/razeeq-letter-13aug02.pdf) but I guess that's a little different :p Rob ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
