alientrap-forum-archives

[divVerent]

Yeah to that i can agree, THAT can count as a bug, but not the warning itself
And yeah you can trust the page, but selfsigned stuff will not verify the identity of the page owner like expensive certs CAN do (but that part is getting weaker to)

There have been incidents where people got hold of valid certs signed by Verisign and other CAs by social engineering. One of them was for microsoft.com.

Sure, they're blacklisted now. But CAs don't guarantee anything. It's just a stupid way to make money.

For online banking, banks should rather print their certificate fingerprint on snail mail, and require customers to verify it manually. That's the only thing that's secure.

[divVerent]

There are FREE/OPEN CAs which are not trusted by firefox.

Of course, as any such CA can't guarantee your identity, as any way to do so costs money.

[Alien]

You can use paypal as a method to verify identity as valid paypal account requires valid identity.

[divVerent]

Nope, I could register at paypal with just a bank account number and no further verified information, or even without that and just two lucky guesses with about 1:2000 probability.

This COULD be a working identification, but only if the same paypal account or the same bank account is used to pay the domain. And these "CAs" don't even verify that.

[Alien]

It's their fault that they don't. You won't be able to use paypal without valid/verified bank account which is bound to your name. Don't know how you got 2000:1 though.

Or you could pay symbolic 1euro/$ payment to verify who paid for what certificate and for what domain.

[divVerent]

The paypal account is verified by two symbolic payments, amounting to less than an euro total. The number of possibilities for that is less than 10000. Strike all the possibilities above or equal an euro - about 5000 left. Don't count pairs twice - about 2500 left. 1:2000 may be quite close.

Paypal does in no way verify your name. All they do verify is that they can send some bank account money, and that you can see (or even guess) its amount. All other data of paypal is ENTIRELY unverified.

As for that symbolic payment - sure, then the CA has your account number (or at least one you can transfer money from), but this isn't in any way the CA can use linked to the domain name. Again, for this to work, the ISP you host the domain at would have to verify to the CA that you're using the same bank account for the domain (no other data can be used for that, as anything else in Paypal or that "symbolic payment" is ENTIRELY unverified). The ISP however is not ALLOWED to disclose that info to some "CA" according to privacy laws.

Note that it doesn't matter which PERSON a certificate is linked to. The certificate doesn't aim to prove that you can find out who's providing the data. The certificate aims to prove that the server behind the domain name is actually the one the domain name is for. In other words, the certificate aims to prove that the server belongs to the same entity as the domain name or IP address, as registered in the NIC or the IANA (and can be found out by "whois").

And the only data that IS linked to the domain name and that the CA can find out is the data in "whois", which does contain your name and street address, but not your bank account number. But there is no way to verify that a bank account belongs to the address data from "whois". Banks don't disclose who owns a certain account number. Neither does the ISP give out the bank account numbers of their customers.

One way that WOULD work is sending a snail mail letter to the address in "whois". But that costs the CA money, which means there can't be any free CA doing that.

[Alien]

As for that symbolic payment - sure, then the CA has your account number (or at least one you can transfer money from), but this isn't in any way the CA can use linked to the domain name.

No, but that way CA could have a proof, who got the particular cert (identifying client by a bank acc. number without knowledge of client's real name) without requiring to meet him personally and could use that info in case there was a fraud involved that cert.

[divVerent]

That doesn't suffice for a trustworthy certificate.

The CA is required to verify the data of their customer BEFORE giving out the signed certificate. Not sue him afterwards, should it have been a fraud.

Otherwise, it'd be easy to do phishing sites for some days (as it takes some time to notice that the data is fake).

[Alien]

Of course, it's not 100% reliable, but way better than current "meet me personally" situation. Only people who got access to other people bank accounts would be rather safe.

[divVerent]

Again. The CA has no way to link the bank account number to the domain name. Anything else can be fake, from their point of view. Especially they have no proof that their customer actually is the rightful holder of the domain name.

On the other hand, a CA that takes money from the signee has an easy way to prove their customer's identity - they'd simply send e.g. a password via snail mail to the customer. This would prove that the postal address is correct, and as that address is also in the NIC record of a domain name, it's easy to verify that it's the same.

However, having access to someone else's mail can happen, e.g. by neighbors. To prevent that, you can send an express letter that will be handed out ONLY to the intended recipient, and neither be thrown into the mail box nor given to neighbors or other persons. In that case, the postal service would even verify the ID card of the recipient, and only give it out if the data matches.

That service exists, but it's too expensive for a free CA to use. The cheapest cost for an express letter with identification of the recipient in Germany is EUR 0.55 for the letter, + 2.05 for express letter, + 1.80 for "nobody else may get it". That's a total of EUR 4.40. This is no obstacle for a commercial CA, but a free CA can't possibly make that much money per customer just of advertisements.