RE: Non-English Domain Names Likely Delayed

Mailman List Mirror (Read Only)
1

I don't know of any other IEEE/NANOG/IETF/ICANN-sanctioned method to
completely confuse even a savvy IT user who is trying to determine the
validity of an SSL site.

There are dozens of ways we know of, and probably more that lie

undiscovered,

to exploit vulnerabilities in DNS, browsers, and in human nature to

conduct

phishing.

Sure, there are bugs and hacks. The existence of such does not justify
approving new measures (in this case, a glaring security hole) as a
global standard. In fact, quite the opposite: folks are generally trying
to fix such problems, not push them forward in public policy agenda.

It's clear that no one intended for the side effect of a complete
meltdown in the user layer of SSL (where the only thing you can do is
double-check the URL in your browser and verify there's a padlock icon
in your status bar), but the side effect is there and it's naive to
pretend that fairness to non-English folks or globalization justifies a
hole this large. Certainly, the vulnerability is just as much a problem
for the targeted benefactors of this change.

-Jason

2

If I was feeling especially cynical (and hey, who isn't on a Monday?) I'd say that the validity of an SSL site is a lot harder to judge than people think, and a savvy IT user would do well to trust very few of them.

For a well-known common name with a global reputation, you might have a reasonable expectation that a successful wander down a certificate chain might be worth trusting: a CA would have to be fairly remiss to issue a certificate to some random customer who claimed to be Amazon or Microsoft (or Am�zon or Micr�soft, for that matter).

However, when it comes to a web store whose name isn't well-known, "good certificate" frequently means little more than "the operator of the site is able to mark up some letterhead and send a fax".

And of course, nobody here would be guilty of clicking "accept" on a warning that the validity of a self-signed certificate cannot be determined. Thought not.

Maybe a bit of healthy distrust is overdue for injection into the CA economy.

Joe