| Re: PHP mysql_excape but need to search for those items [message #178417 is a reply to message #178413] |
Sat, 16 June 2012 01:07   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/15/2012 4:36 PM, Arno Welzel wrote:
> Jerry Stuckle, 14.06.2012 13:40:
>
>> On 6/14/2012 2:47 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 12.06.2012 14:00:
> [...]
>>>> Setting up a proxy would mean alternations to the domain name servers
>>>> data. Additionally, the certificate either would not match the domain
>>>> name or the certificate would not be signed by a recognized authority
>>>> (which is a good reason to use a trusted certificate).
>>>
>>> Nameservers can be compromised - e.g. by cache poisoning.
>>>
>>
>> And exactly how often has that occurred? And who has the tools to do it?
>
> To read more about:<http://www.kb.cert.org/vuls/id/800113>
>
> Just because you can not imagine that his happens in reality does not
> mean that you can ignore the problem.
>
Quite frankly, I don't believe everything I see on the web. Do you have
any proof this has actually occurred?
> I must admit that this problem is well known now for about 4 years and
> hopefully anyone who's responsible for a nameserver did solve this - but
> i mentioned it to show that "security" is not just "i use SSL, this i
> secure".
>
Again - do you have proof any of this has actually occurred?
>>>> I don't know of any broken CAs in the past, but there could have been.
>>>> However, the ones I use won't issue a certificate just to anyone.
>>>
>>> And these are?
>>>
>>
>> Thwate, for one. Verisign for another.
>
> VeriSign is also on the list of the CAs which had at least one security
> problem:
>
> < http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
>
> Of course they will never tell you about any details and of course you
> shall believe that everything is perfectly fine.
>
> And not to forget:
>
> < http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
>
> "In total, 531 fraudulent certificates were issued during the DigiNotar
> breach, including certificates for Google, Microsoft, MI6, the CIA, TOR,
> Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo."
>
> Do you still believe, the CA system is trustworthy?
>
Again, I don't believe everything I see on the Internet. But I have
used both Thawte and Versign, and know what a company has to go through
to get a certificate.
Again, do you have any proof any of this has occurred? Or just a web
site which claims such?
>>> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
>>> already got compromised.
>>>
>>> Also see:
>>>
>>> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>>>
>>>
>>> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>>>
>>>
>>> The whole model of trusting CAs and not single certificates (as in SSH)
>>> must be considered broken.
>>
>> And you have a better solution?
>
> As i already said: Don't trust a CA, only trust (or don't trust) the
> certificate. If it changes your browser will immediately tell you - even
> if it was signed by a CA.
>
>
So, what is your solution? Just telling someone not to trust a CA is
not a solution.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]