Ian G wrote:
Then, when the spoof BunkOfAmerika turns up, the HTML might look the same, but the browser should treat this is an untrusted site - no logos because the cert seen (if any) doesn't have any logos selected.
You're making assumptions here that I don't think will carry over to the real world or phising schemes in their current incarnation wouldn't work either.
In your next email you make the same point I was trying to make in earlier emails, countries in parts of Africa suck at ID checking, so some consistent world wide approach is needed that is a balance between the two. So far the best option I can think of is the one CAcert is following, the ID checks we do certainly wouldn't be as bad as simply faxing in information and maybe one or 2 phone calls, it's like knowing someone's mothers maiden name and knowing that the bank the person is with always uses mothers maiden name... That said it certainly wouldn't be possible to bride some people into giving them assurance points, but having a community of crypto geeks likely to report this event also, so some feedback loops are likely to prevent it to a large extent as well...
In terms of the punycode issue, our first reaction was to disable domains/emails from being issued certificates, now that I've spoken to more people I can see the security problems can't be any worst then code signing, which our current policy to get code singing certificates is to have seen at least 3 people (100 assurance points) and to have a copy of photo ID on file with CAcert... This as far as I can see would satisfy most/all concerns about this "feature"...
As far as I can guesstimate this is a lot worst then the .com/.net/.org argument, people realise through use that these can greatly differ as to ownership with personal experience from having used the internet, *but* when you get 2 domains that to an end user look exactly like paypal.com then this blows the argument out of the water, to the end user they are completely identical and with or without ssl (Ian, you of all people should know how much ssl is used in phising scams :P ), it will make little difference to people... So at the end of the day, Microsoft's lack of code in this case and dominance will likely stop it from being used very widely in phising scams (that isn't to say it won't be used all the same)...
So from CAcert is being pro-active in keeping a paper trail on who's doing what etc with respect to punycode domains (or not allowing them in the first place)...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
