| |||||||||||||
|
| |||||||||||||
New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)Posted Feb 22, 2005 18:32 UTC (Tue) by iabervon (subscriber, #722)In reply to: New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine) by ekj Parent article: New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)
It is not really necessary to have a client certificate; the server certificate is sufficient identification of the server. The problem is that browsers use certificate authorities to determine whether a certificate should be trusted, which is the real flaw. The browser should really store the certificates of sites you have a relationship with and tell you if you get a new certificate. If you go to an encrypted page where you haven't seen the certificate before, you should go through a process where the browser tells you that the certificate is new, tells you to be suspicious if you thought you'd been there before, lets you compare the fingerprint against a known one (your bank could send you the fingerprint of their certificate in the online banking literature or your statement), and warns you if there are similar domains you've got certificates from before.
Ideally, users could store the set of certificates with their ISPs, too, so that they wouldn't lose all of their recognized certificates when changing computers, to reduce the number of times that a particular individual will legitimately see the new certificate page for the same site.
(Log in to post comments)
|
|
||||||||||||