Ian G wrote:
We know the domain name is being checked, and we can trace this to the cryptographic security model of SSL: It provides encryption in order to stop eavesdroppers. In order to overcome spoofing (a.k.a. MITM) the domain name is checked in the cert.
While the browser doesn't warn fingerprints have changed I don't see how man in the middle attacks can be noticed/prevented/known about, this is one really strong point SSH has over SSL, the fact it actively warns you about something changing and that there could be a man in the middle attack occurring, or had occurred in the past. Usually it just means host keys have changed, but without this information it is VERY difficult to identify this attack at present.
I'm kinda surprised you haven't made more noise about this when you made mention previously about some CAs offering snooping services to govt's and being a conflict of interest.
I would be surprised if phishers couldn't walk through the major CA's practices right now like chocolate through a goose... There's a huge
So on one hand you are suggesting we foist problems onto CAs and on the other you show how that won't stop problems. So how is it forcing problems onto CAs is going to fix anything? :)
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto