IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> Wed, 30 June 2010 08:09 UTC

Return-Path: <ietf-ietf-tls@m.gmane.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF5EF3A67AE for <tls@core3.amsl.com>; Wed, 30 Jun 2010 01:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.204
X-Spam-Level:
X-Spam-Status: No, score=-1.204 tagged_above=-999 required=5 tests=[AWL=-0.094, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8aJ3MSuf1hf for <tls@core3.amsl.com>; Wed, 30 Jun 2010 01:09:48 -0700 (PDT)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by core3.amsl.com (Postfix) with ESMTP id 5726F3A63EC for <tls@ietf.org>; Wed, 30 Jun 2010 01:09:48 -0700 (PDT)
Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from <ietf-ietf-tls@m.gmane.org>) id 1OTsMo-0006YL-BN for tls@ietf.org; Wed, 30 Jun 2010 10:09:58 +0200
Received: from rain.gmane.org ([80.91.229.7]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Wed, 30 Jun 2010 10:09:58 +0200
Received: from Bruno.Harbulot by rain.gmane.org with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Wed, 30 Jun 2010 10:09:58 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: tls@ietf.org
From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Date: Wed, 30 Jun 2010 09:09:39 +0100
Lines: 46
Message-ID: <i0eu45$3oo$1@dough.gmane.org>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com> <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com> <20100629193416.GU11785@oracle.com> <AANLkTilF3TZn4DcjTmoKrv3Zcp441oyvWp-E9aJmH5hF@mail.gmail.com> <20100629204614.GX11785@oracle.com> <AANLkTinByiAIx1Pg4khiXLPb9KMexp2UUoZB7ikLzd6f@mail.gmail.com> <AANLkTik5HjADIdqIy4vzQrkQmP4nEwVa0xJUQ-gmkJvT@mail.gmail.com> <i0e1g9$t9k$1@dough.gmane.org> <AANLkTilp8KVZONKm8piOWD8JrHktS8hXVVttMKG_5Ozx@mail.gmail.com> <i0es3a$std$1@dough.gmane.org> <AANLkTilrxnI75aIH7fdePFhOrdcq8YD9N_clrfqaqdoa@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: rain.gmane.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
In-Reply-To: <AANLkTilrxnI75aIH7fdePFhOrdcq8YD9N_clrfqaqdoa@mail.gmail.com>
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 08:09:49 -0000

On 30/06/2010 08:50, Ivan Ristic wrote:
> On Wed, Jun 30, 2010 at 8:35 AM, Bruno Harbulot
> <Bruno.Harbulot@manchester.ac.uk>  wrote:
>> ...
>> (I'm still not fully convinced of the benefits of EV,
>> though.)
>
> There's an advantage or two:
>
> - Phishing sites are unlikely to have them
> - They work as a defence against phishing&  MITM attacks that use
> homograph attacks or non-Lating domain names (e.g., paypal.com written
> in Russian as raural.com, or something).

I think these protections are a bit flaky in fact.
I'll take an example that I've seen once on a banking website (no need 
for an account to try this).

NatWest is a fairly big bank in the UK: http://www.natwest.com/

The 'Personal Banking' link redirects to: https://www.nwolb.com/
(where presumably, nwolb stands for "NatWest Online Banking").
This has a nice green EV certificate for "The Royal Bank of Scotland 
Group Plc (GB)".

Now, I know that NatWest belongs to RBS (mainly because I follow the 
news and that was said when these banks were rescued by tax-payer money).
If I didn't know and just looked at the stores on the streets, RBS and 
NatWest would seem to be competitors: shouldn't users be a bit 
suspicious to continue using a banking website when it's "green" but 
appears to have a cert issued to a competitor?

If you just educate users to say "green bar is OK", you don't have that 
much more security than the "blue bar". If you tell them they should 
look at the company in the EV certificate, then you can introduce more 
confusion. Thinking about the cert is not a bad thing, but confusion for 
non-tech users can be really bad.


Best wishes,

Bruno.

v2.23.0 | Report a Bug | By Email