Nobody is perfect

No Phishing Allowed

January 16

"You'll see the typical security geek saying, 'People are dumb, people are stupid, they're never going to be trained,'." said Rohyt Belani, PhishMe co-founder and CEO. "We have statistics to prove otherwise."
PhishMe Twitter
- Zappos customers, make sure you look out for phishing emails: http://t.co/xcavPbOs 03:51:21 PM January 26, 2012 from CoTweet Reply Retweet Favorite
- The importance of educating users to spot potential attacks is talked about in article about DoD ID card attack: http://t.co/jRnL7AXB 04:06:34 PM January 18, 2012 from CoTweet Reply Retweet Favorite
@phishme
Blogroll
Links
- Intrepidus Group
- Layered Security
Archives


	« More than one way to skin a CA How do you trust? »


	Nobody is perfect January 2nd, 2009 by Mike Post moved here: http://intrepidusgroup.com/insight/2009/01/nobody-is-perfect/
	This entry was posted on Friday, January 2nd, 2009 at 10:33 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. 1305 ResponsesNobody+is+perfect2009-01-02+15%3A33%3A45Mike to “Nobody is perfect” Eddy Nigg says: January 2, 2009 at 5:13 pm Yes that's correct. Mike Zusman detected a real flaw in our system by using an SSL proxy tool to change the values of the validation emails. The attempt to get a certificate for http://www.verisign.com was detected within 8 minutes and Mike was blocked from our systems. After a short conversation, it was reproduced and correctly fixed. Nevertheless, this is under our direct control and needless to say that our further layers of defenses succeeded to prevent an attack on a high-profile target such as Verisign. A such, you are right, no system is perfect and mistakes do happen. However exactly because of that, special care must be taken and the system itself must be protected. More than that, retaining all evidences are important as well. As such we also had the capability to verify if other such attempts happened. We've found none. There is a huge difference in my opinion between this flaw and that of Comodo, as no validation system was in place at all. That's not a flaw, it was simply non-existent. Would StartCom outsource domain validation to a third party? Most likely not. Eddy Nigg says: January 2, 2009 at 6:02 pm StartCom made the "Critical Event Report" publicly available here. Bjørn Vermo says: January 5, 2009 at 4:58 am As you say, there are proper CAs doing their best to make the world a safer place, and there are those out for easy money. Since there is no international system of approval for CAs, we are in a more difficult situation than when we want to know if a chartered accountant can be trusted. Each browser maker has to either do their own rather expensive vetting of CAs who want to be included in their rootstore, or they have to rely on somebody else's rootstore. Those who go with their own rootstore risk negative attention if they are being more careful than the most lenient competitor – "browser X does not work with site Y" – because most users do not understand that it has something to do with security until after they have been burned. Another problem is even bigger than the unreliable CA. The unreliable domain registrar has mostly been overlooked, even though they are in many cases easier to target. Even if the certificate providers do their job, that does not help much if the registrar does not provide up to date and truthful information about who owns the domain. Nor does it further net safety that some will let a domain be transferred quickly and without an audit trail, do not check the identity of the new owner, or any number of other sloppy behaviours we know have caused problems in the past. Ismael Casimpan says: January 28, 2009 at 1:59 am Wow, thanks for the timely blog. I found this via Google researching for the keyword "comodo sucks" just to check if there is something negative being said about the company. We were about to consider purchasing code signing certificate from them. But with this issue, I think we better stick with the other guys: either Verisign or Godaddy - Ismael Dominic Montgomery says: April 23, 2009 at 8:06 am I work for secure128.com who is a wholesale reseller (registerd agent) of several SSL brands. We considered also reselling the Comodo SSL brand but decided against it because of this very issue. As Bjorn posted above, "there are proper CAs doing their best to make the world a safer place, and there are those out for easy money." is 100% correct in Comodo's case. The simple fact is that when you become a reseller of Comodo, you get the option in their portal to simply "checkmark" a box acknowledging that you have gathered all the required vetting documentation from your SSL customer for each order placed. This completely pushes off the responsibility of verifying domain owner's identities from the Certificate Authority (Comodo) to the resellers who are NOT in the business of verifying identities. In short, Comodo does not provide any form of domain owner identity verification through the resellers of their products at all! Sure they provide encryption but give you no idea of who actually owns the website you're attempting to trust. Pathetic! -Dom Montgomery