An attack on paypal
Bill Stewart
bill.stewart at pobox.com
Fri Jun 13 19:32:12 EDT 2003
At 02:24 PM 06/11/2003 -0700, David Honig wrote:
>At 12:42 PM 6/11/03 -0600, Anne & Lynn Wheeler wrote:
> >actually, if you had a properly secured DNS .... then you could trust DNS
> >to distribute public keys bound to a domain name in the same way they
> >distribute ip-addresses bound to a domain name.
>...
>Adding PKeys to Yellow Pages merely lets you get scammed *confidentially*.
Unfortunately, that doesn't help you against wetware attacks -
the "paypa1.com" and "e-g0ld.com" web sites can have valid certs,
and your browser is unlikely to notice that they're different
from the certs at the sites "paypal.com" and "e-gold.com"
because they've got different domain names.
So it won't notice that the certs have changed, because they haven't,
they're just the new certs for the new websites.
And client-side certs won't help, because the bogus sites
can happily accept them or ignore them.
An e-gold-specific or paypal-specific client can tell,
because it can remember that it's trying to see the real thing,
but the browser can't tell, except by bugging you about
"Hi, this is a new site that's giving us a new cert" placebo box.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list