Heikki Toivonen wrote:
Alaric Dailey wrote:
than doing things right. For example SSL for identification is
worthless without DNS being secured, and no-one on any list wants to
talk about that. Unfortunately, the number people who actually
I don't understand how you can claim this. SSL *is* the solution to
insecure DNS. Could you explain?
I must have been unclear... Let me try to clarify
DNS is insecure.
Because SSL relies on DNS, SSL assertions about the identity of a
website are.... less than reliable, No matter how thorough the identity
check. Therefore even if Verisign is issuing an EV cert for themselves,
you can not be assured that the cert hasn't been stolen and the DNS
altered with something like drive-by pharming (
http://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html ).
Fixing DNS is a prerequisite for EV certs to mean ANYTHING more than
current level of SSL authentication. I realize this is WELL beyond the
scope of Mozilla and EV certs, but we can't pretend its not an issue.
As far as a fix for DNS, everyone hates hearing it, but the fix is
already out there no one wants to use it though
http://www.dnssec.com
With that said, and realizing that DNS is only one issue, the idea that
somehow EV certs are going to fix the other problems of SSL is a
complete fantasy. No one will respond to my question as to what EV will
really solve. The ONLY thing that it does is cost everyone more money,
and provide the users a little more feedback (and that feedback is of
questionable use).
Eddy's proposal gives the users more feed back, and offers the users the
chance to validate the info themselves, this is of much greater use than
the green-bar that IE gives (I have already ranted about how worthless
that is, and how the hype gives a completely false impression of
security) . Furthermore, Eddy's proposal helps the small CAs who are
are trying to be pushed out of business by EV cert proposals.
My intention of my last email and this one, is to show that EV certs
aren't what they are cracked up to be, there is much more to it than
making a new class of certificate and a pretty bar for the user, it's
nothing more than large companies trying to line their pockets because
they are losing business to the little guys (registerfly was selling
certs for $200 less than Verisign and StartCom offers certs for free).
Knowing SSL and its weaknesses, I would much rather have more
information about the existing certs, than a green bar for less than 1%
of all websites and no additional information. At very least this gives
ME the chance to decide rather than giving me a false sense of security.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
