| |
Financial Cryptography: VeriSign's conflict of interest creates new threat
by Decius at 7:13 pm EST, Jan 19, 2006 |
Here's where the reality meter goes into overdrive. VeriSign is also the company that sells about half of the net's SSL certificates for "secure ecommerce [4]." These SSL certificates are what presumptively protect connections between consumers and merchants. It is claimed that a certificate that is signed by a certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing. A further irony is that VeriSign also runs the domain name system for the .com and the .net domains. So, indeed, they do have a hand in the business of domain name spoofing; The point here is that, on the one hand, VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping.
|
VeriSign's conflict of interest creates new threat
by noteworthy at 7:15 am EST, Jan 25, 2006 |
There's a big debate going on the US and Canada about who is going to pay for Internet wiretapping.
It won't be long now until the telcos start trying to pass on the cost of wiretapping to the major content providers. It'll be likened to existing security-related overhead expenses, like "loss prevention" at retail outlets. If Barnes and Noble has to pay for private security guards, why shouldn't Amazon have to do the same? |
Financial Cryptography: VeriSign's conflict of interest creates new threat
by Rattle at 7:45 am EST, Jan 25, 2006 |
Here's where the reality meter goes into overdrive. VeriSign is also the company that sells about half of the net's SSL certificates for "secure ecommerce [4]." These SSL certificates are what presumptively protect connections between consumers and merchants. It is claimed that a certificate that is signed by a certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing. A further irony is that VeriSign also runs the domain name system for the .com and the .net domains. So, indeed, they do have a hand in the business of domain name spoofing; The point here is that, on the one hand, VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping.
It's not just SSL certs and the .net/.com domains VeriSign is being trusting with anymore. The ability to tap mobile phone calls is on the slate now too. VeriSign is a wolf in wolf's clothing. I can't think of any reason to trust them, and they are positioned in a way where there is no choice or recourse other than to deal with them. They are a perfect example of a(n even more) major problem waiting to happen. |
There is a redundant post from Shannon not displayed in this view.
|
|
