On Feb 20, 7:55 am, Jean-Marc Desperrier <jmd...@alussinan.org> wrote: > Eddy Nigg wrote: > > On 02/19/2009 03:30 PM, Jean-Marc Desperrier: > >> Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n > >> attack using a *.ijjk.cn certificate. > >>http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-D... > > >> .cn is authorized for i18n, and the * will match anything, allowing all > >> the classic i18n based attacks. > > > This was striking: > > > Get a domain-validated SSL wildcard cert for *.ijjk.cn > > Yes, it's surprising how some of such attacks seem obvious *after* they > have been done, but it takes so long to realize it can be done. > > The md5 collision between a normal and a *CA* certificate was similar > for me, "how the fuck did we not think earlier, when it was already > obvious someone would soon create a collision between two real md5 > certs, that they just had to do that to make the attack really effective". > > This being said : Is there already a bug open for this ? The only thing > that stops me opening it myself is that it might already exist but be > security restricted. > > PS : I think this discussion should be on mozilla.dev.security since > it's about a security vulnerability, not crypto and not security.policy. > Does everyone share my opinion ? (I'm setting the follow-up there)
I have no idea as to how to submit an idea to the Mozilla dev team, but it seems to me that a step towards a solution might include color- coding portions of the URL to indicate which is the domain that's "authenticated" by SSL. For example: Black on White-> https:// White on blue -> www.pnc.com Black on light red -> /pages/of/junk/index.html Yes, it still requires a user to notice the change and make a decision based on that, but having a strong visual indicator is a step in the right direction, IMHO. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
