encrypted tapes (was Re: Papers about "Algorithm hiding" ?)
Jason Holt
jason at lunkwill.org
Wed Jun 8 22:04:39 EDT 2005
On Wed, 8 Jun 2005, David Wagner wrote:
[...]
> That said, I don't see how adding an extra login page to click on helps.
> If the front page is unencrypted, then a spoofed version of that page
> can send you to the wrong place. Sure, if users were to check SSL
> certificates extremely carefully, they might be able to detect the funny
> business -- but we know that users don't do this in practice.
>
> Dan Bernstein has been warning of this risk for many years.
> http://cr.yp.to/djbdns/bugtraq/19991114052453-12962-qmail@cr-yp-to
> http://cr.yp.to/dnscache/bugtraq/19991115014346-20612-qmail@cr-yp-to
>
> As far as I can tell, if the front page is unencrypted, and if the
> attacker can mount DNS cache poisoning, "pharming", or other web spoofing
> attacks -- then you're hosed. Did I get something wrong?
Well, yes. TLS guarantees that you're talking to the website listed in the
location bar. Knowing what domain you *wanted* is up to you, and Dan handles
that by suggesting that perhaps you have a paper brochure from the bank which
lists their domain.
So, it's fine to have http://amex.com link to https://amex.com (or
whatever.com) for forms requesting anything sensitive as long as amex.com (or
whatever.com) is what's printed in the brochure. As Dan points out,
examination of the certificate is generally pointless as long as it's signed
by a trusted CA, since the attacker can get a perfectly valid cert for
hackers-r-us.com anyway. The big question is just whether the domain asking
for your account info corresponds with the organization you trust with it.
Of course, brochures aren't exactly hard to spoof (cf. Verisign's fraudulent
domain renewal postcards). And then there are the dozens of CAs your browser
accepts, the CA staff who issue microsoft.com certs to random passersby,
international domain names that look identical to, er, national ones. All
those gotchas apply even in the "correct" implementation outlined by Dan.
-J
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list