ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] POSTAGE, was The fundamental misconception about paying for mail

2008-12-03 09:30:33
from [Paul Russell] [Permanent Link] 
On 12/3/2008 7:08 AM, John Levine wrote:


Bad guy gets an SSL cert...Stop! Not so easy.


You're kidding, right?  When's the last time you got an SSL cert?  I
happened to get one for my sister yesterday.  I looked around to find
out who's the cheapest, found someone selling them for $12.95
(servertastic.com), paid with a credit card which, since I am honest,
was actually mine, clicked through on a URL in an email message sent
to postmaster@<cert domain>, and got the signed cert, in a total of
about five minutes.  If I did it very often, I could easily have
scripted it.  This is the reality of Internet security today.

In the cert biz, they now have "high security" green bar certs which
roll the clock back to the price and somewhat more stringent
investigation that all certs required a decade ago, but it's just a
matter of time before those race to the bottom, too.



In every industry, there are vendors who compete solely on price, often at the
expense of the quality of their products or services.  Some CA's may issue certs
to anyone with an apparently valid credit card number and a working email
address; some require additional proof that the buyer is who he claims to be.
In the long run, certs from CA's in the first group are likely to have less
credibility than certs from CA's in the second group.  At some point, some
enterprising individual will build a CA reputation database and someone else
will write a browser extension that will check the database whenever the browser
encounters a cert.  It will not be ubiquitous, just as the use of email sender
reputation services is not ubiquitous, but it will provide useful information to
those who choose to use it.

The anarchical nature of the 'Net virtually guarantees that nothing will ever
be deployed universally and simultaneously.  Human nature guarantees that
someone somewhere will attempt to thwart any technology that might make a
significant dent in the spam problem.  If universal simultaneous deployment and
total infallibility are non-negotiable requirements for any proposal, then
nothing will ever be done.

--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
prussell(_at_)nd(_dot_)edu
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] POSTAGE, was The fundamental misconception about paying for mail, Paul Russell
Next by Date:  Re: [Asrg] A paper/project worth considering (found it!), Rich Kulawiec
Previous by Thread:  Re: [Asrg] POSTAGE, was The fundamental misconception about paying for mail, Michael Thomas
Next by Thread:  Re: [Asrg] POSTAGE, was The fundamental misconception about paying for mail, Barry Shein
Indexes:  [Date] [Thread] [Top] [All Lists]