Nelson Bolyard wrote:
Ian G wrote:
If HTTPS is the use for the cert, then as I suggested
in some other random long rant today (!) we could
always ask the domain owner to stick something in
the HTTP page.
Sort of like a little icon ad that people commonly do,
you can see a couple of them in the below link. I
think that makes a case that whoever stuck those
in there has at least some control over the domain,
for HTTP purposes.
Sorry for being thick here, but I don't understand what you're
suggesting. How does the content of an insecure web page
offer any proof of ownership that is stronger than email?
Both are insecure only in absolute sense.
In reality, both are reasonably secure, with
known weaknesses. But those weaknesses
are not entirely correlated.
If both of these were requested, then an
attacker would have to change over the
domain name record of the email addresses,
as well as change over the DNS settings.
As the change for the DNS settings would
involve directing all (or most) DNS traffic
over a period that was hard to determine,
this would have a much greater chance of
being noticed.
One falsified DNS record, or one bad line in your "hosts" file,
is all it takes to spoof any/all insecure web content from any
one site.
Right. But the web content is on a site
that is currently in use. And, the more
it is in use, the more it is going to be
noticed, so this scales nicely with the
importance of the check.
The reason the email trick works - I
guess - is because that email path is
never used.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
