| Re: PHP mysql_excape but need to search for those items [message #178413 is a reply to message #178403] |
Fri, 15 June 2012 20:36   |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Jerry Stuckle, 14.06.2012 13:40:
> On 6/14/2012 2:47 AM, Arno Welzel wrote:
>> Jerry Stuckle, 12.06.2012 14:00:
[...]
>>> Setting up a proxy would mean alternations to the domain name servers
>>> data. Additionally, the certificate either would not match the domain
>>> name or the certificate would not be signed by a recognized authority
>>> (which is a good reason to use a trusted certificate).
>>
>> Nameservers can be compromised - e.g. by cache poisoning.
>>
>
> And exactly how often has that occurred? And who has the tools to do it?
To read more about: <http://www.kb.cert.org/vuls/id/800113>
Just because you can not imagine that his happens in reality does not
mean that you can ignore the problem.
I must admit that this problem is well known now for about 4 years and
hopefully anyone who's responsible for a nameserver did solve this - but
i mentioned it to show that "security" is not just "i use SSL, this i
secure".
>>> I don't know of any broken CAs in the past, but there could have been.
>>> However, the ones I use won't issue a certificate just to anyone.
>>
>> And these are?
>>
>
> Thwate, for one. Verisign for another.
VeriSign is also on the list of the CAs which had at least one security
problem:
< http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
Of course they will never tell you about any details and of course you
shall believe that everything is perfectly fine.
And not to forget:
< http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
"In total, 531 fraudulent certificates were issued during the DigiNotar
breach, including certificates for Google, Microsoft, MI6, the CIA, TOR,
Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo."
Do you still believe, the CA system is trustworthy?
>> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
>> already got compromised.
>>
>> Also see:
>>
>> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>>
>>
>> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>>
>>
>> The whole model of trusting CAs and not single certificates (as in SSH)
>> must be considered broken.
>
> And you have a better solution?
As i already said: Don't trust a CA, only trust (or don't trust) the
certificate. If it changes your browser will immediately tell you - even
if it was signed by a CA.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]