«

On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:

>
> The whole thing about root certificates etc is authentication. The
> encryption is just as good if you generate it yourself.


Uh yeah... like the Verisign - approved "microsoft.com" certificates which
were generated by someone with nothing to do with MS.

All a root-verified certificate shows is that you paid someone some money
to countersign it. They DO NOT verify who you are.

On Tue, 28 Oct 2003 00:31:43 +1300, Adam Warner wrote:

> What self-signed certificates give you is encryption. They don't give you
> an assurance that you are talking to the computer you think you are
> talking to.

Nor do root-signed certficates. There is virtually no auditing on them.

On Mon, 27 Oct 2003 15:32:15 +0100, Uncle StoatWarbler wrote:

> On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
>
>> The whole thing about root certificates etc is authentication. The
>> encryption is just as good if you generate it yourself.
>
> Uh yeah... like the Verisign - approved "microsoft.com" certificates which
> were generated by someone with nothing to do with MS.
>
> All a root-verified certificate shows is that you paid someone some money
> to countersign it. They DO NOT verify who you are.

I don't think that's the point. Security is about trade offs, and nothing
is 100%.

I would still place more trust in a root-verified cert than a self signed
one. With a trusted cert the attacker has to both social engineer a cert
AND hijack your DNS - without one they only have to hijack your DNS. It's
one extra barrier.

Discounting the value of a trusted cert, is a little bit like not
hardening your bastion hosts because they are behind a firewall.

Cheers
Anton

In article <>, alanb+google4
@digistar.com says...
> On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
>
> >
> > The whole thing about root certificates etc is authentication. The
> > encryption is just as good if you generate it yourself.
>
>
> Uh yeah... like the Verisign - approved "microsoft.com" certificates which
> were generated by someone with nothing to do with MS.
>
> All a root-verified certificate shows is that you paid someone some money
> to countersign it. They DO NOT verify who you are.

Yes they do.

You know damn well this was a Verisoft screw up.

--
Duncan

In article <>, "Uncle StoatWarbler" <alanb+> wrote:
>On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
>*SNIP*
>Uh yeah... like the Verisign - approved "microsoft.com" certificates which
>were generated by someone with nothing to do with MS.
>
IIRC that was due to a failure at MS not at Verisign - Someone got hold
of the password for the root microsoft.com certificate, and was then
able to generate new certificates that were "signed" by the
microsoft.com root. I may be wrong, but that's my understanding of what
happened.

>All a root-verified certificate shows is that you paid someone some money
>to countersign it. They DO NOT verify who you are.
>
As a general rule they're pretty safe. The big authorities do a fair
bit of work to ensure that you are who you say you are before they'll
sign a certificate. You need to produce things like certificates of
incorporation (or the local equivalent), validated proof of address,
etc. It's not quick and easy, but you already know that Alan.

--
Matthew Poole Auckland, New Zealand
"Veni, vidi, velcro...
I came, I saw, I stuck around"

My real e-mail is mattATp00leDOTnet

I am a thawte client and the serial number duplication had no effect
on my business. Thawte's support was extremely efficient in
implementing the re-issue as quickly as possible. Comodo on the other
hand have given me the worse support i have received through any
company.


Adam Warner <> wrote in message news:< t.nz>...
> Hi madknoxie,
>
> >> > I'm very interested to know: where do you get/purchase your SSL
> >> > certificates from?
> >>
> >> InstantSSL/Comodo are extremely competitive. Be aware that there is
> >> nothing instant about the process of obtaining a genuine certificate
> >> (in contrast to a trial certificate): <http://www.instantssl.com/>
> >
> > Yeah, I was considering Comodo until I read these:
> > http://www.sslreview.com/content/baltimore_sale.html
> > http://www.whichssl.org/content/comodo_spam.html
>
> Interesting, thanks! The validity of the facts surrounding the targeted
> emails could be material:
> <http://www.instantssl.com/ssl-certificate-news/ssl-230603.html>
>
> It certainly appears to be true that Thawte screwed up and are replacing
> certificates: <http://www.thawte.com/serial_faq.html>. If Comodo uncovered
> this and only contacted affected customers then a public interest argument
> could be made that affected customers would want to know about this (I
> certainly would, but what's the urgency if it really took 9 months of
> investigation? Not letting Thawte inform their customers first was low:
> "We will be happy to pass our findings onto Thawte so that they can take
> the necessary remedial action to their certificate generation
> procedures.")
>
> The earlier link is also troubling. If Comodo goes then the only other
> options remaining like Thawte are far more expensive. I didn't come across
> anyone else with the same level of browser compatibility as Thawte and
> Verisign while also being vastly cheaper.
>
> I don't know how worried you should be about this. If Comodo is now the
> second largest certification authority in the world they should be able to
> work something out, even if it means losing the widest level of browser
> compatibility.
>
> Watch out when comparing prices. A US$49 FreeSSL.com certificate will not
> have the same level of trust support in browsers (it appears to be MSIE
> 5.01+ and Netscape 7 only, which may be sufficient for your purposes). If
> you find out about anyone else that can match the same level of
> compatibility as Verisign and Thawte but at a similar price to Comodo then
> let us know.
>
> Regards,
> Adam

Does anyone know the state of play for issuing client certs in NZ? So that
users can authenticate themselves online to government websites and other
"its important we know who we're talking to" sites.

I know the Bankers Association looked at this back in 2000. They asked PWC
to recommend a way for the banks to cooperate (a la eftpos), rather than
each bank duplicate the costs of the CA scheme. PWC said to the banks "its
too early to say" and then promptly brought out their own client cert scheme
(beTRUSTED www.betrusted.com).

The banks also wanted to be compatible with whatever their Aussie parents
were doing (ie GateKeeper
http://www.noie.gov.au/projects/conf...Gatekeeper.htm) as well
as what is happening internationally (ie Identrus www.identrus.com). I see
the aussies are progressing well, with some degree of tie-up beteen Identrus
& Gatekeeper.

About the only thing that we've seen locally is the flop that was ANZ's Zed
card (www.zed.co.nz). Does anyone know more, or is NZ going to be forever in
the dark regarding online authenticated services?

Hi T-Boy,

>> >I got mine from my PC - W2K Pro - but then I'm not asking "other
>> >people" to trust it.
>> >
>> Why not? If I go to your website to purchase something, all I'm really
>> worried about is that no one can steal my CC number in transit. If they
>> can compromise your machine enough to steal your certificate, they have
>> access to your machine anyway, and presumably my CC number.
>
> ... what Adam said

By the way (and yes it's obvious to everyone with an ounce of common
sense), my use of "I" in the reply was for rhetorical effect and in no way
implies that I condone the approach or would use my computer to commit
fraud.

The most secure website credit card verification systems never even
provide the credit card number to the merchant. The financial institution
handles the transaction and lets the merchant know the result. It does
mean that the credit card number has to be entered for subsequent
transactions with the same merchant. But it also means that a criminal has
less to gain from breaking into the merchant's servers. And the public
relations issues arising out of any break in are greatly minimised
(telling all your customers their credit card numbers may have been
compromised is not endearing).

Regards,
Adam

On Mon, 27 Oct 2003 18:27:37 +1300, madknoxie
<> wrote:

>Yeah, I was considering Comodo until I read these:
>http://www.sslreview.com/content/baltimore_sale.html
>http://www.whichssl.org/content/comodo_spam.html
>
Remember that whichssl.org (and sslreview.com) are owned by Geotrust,
whose main competitor is.... you guessed it, Comodo.

The site is just a big, cunningly disguised, marketing and propoganda
trick. Why do you think only Verisign and GeoTrust are listed as the
"Top 2 Enterprise Class SSL Providers"? Verisign? Sure. GeoTrust? I'll
leave it as an exercise for the reader to make up their own mind on
this one...

On Tue, 28 Oct 2003 00:31:43 +1300, Adam Warner
<> wrote:

>Hi Enkidu,
>
>>>I got mine from my PC - W2K Pro - but then I'm not asking "other people"
>>>to trust it.
>>>
>> Why not? If I go to your website to purchase something, all I'm really
>> worried about is that no one can steal my CC number in transit. If they
>> can compromise your machine enough to steal your certificate, they have
>> access to your machine anyway, and presumably my CC number.
>
>Cliff, I could use my computer to generate a certificate duplicating
>T-Boy's credentials. Then I hijack your DNS server so that when you type
>in T-Boy's website name you reach my server instead. The browser complains
>that it can't verify my self-signed certificate masquerading as T-Boy's
>just as it complains that it can't verify T-Boy's self-signed certificate.
>You won't tell the difference and I won't need to steal T-Boy's
>certificate.
>
>What self-signed certificates give you is encryption. They don't give you
>an assurance that you are talking to the computer you think you are
>talking to.
>
But with a man-in-the-middle attack you don't know either!

However, I accept that I'm losing this argument.....

Cheers,

Cliff
--

The complete lack of evidence is the surest sign
that the conspiracy is working.