<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style id=owaParaStyle>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h1
{mso-style-priority:9;
mso-style-link:"Título 1 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:24.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.Ttulo1Car
{mso-style-name:"Título 1 Car";
mso-style-priority:9;
mso-style-link:"Título 1";
font-family:"Cambria","serif";
color:#365F91;
font-weight:bold;}
span.author
{mso-style-name:author;}
span.linkicon
{mso-style-name:linkicon;}
span.fbshare
{mso-style-name:fbshare;}
span.fbbuttontext
{mso-style-name:fb_button_text;}
span.image-credit
{mso-style-name:image-credit;}
span.EstiloCorreo26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Lynn,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Correct. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here in a tourist region of Spain there are many apartment for rent websites or other small business websites which only have mobile phone numbers as the contact. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Increasingly consumers are finding services not up to standard and in some case non existent. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>When they start to seek redress they find that there is no way to contact the business. Only a mobile phone which is not answered and an email is not answered.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Local law (www.lssi.es) which is an application of an EU directive demands full contact details (name, address, tel, etc) to be published on websites. This is often ignored so Whois is a very useful starting point for any consumer complaints.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>best<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#4F81BD'>Chris Chaplow</span></b><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#4F81BD'><br></span></b><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#4F81BD'>Managing Director</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#4F81BD'><br></span><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#4F81BD'>Andalucia Web Solutions</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Avenida</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> del Carmen 9<br>Ed. </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Puertosol</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, Puerto </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Deportivo</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><br>1ª </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Planta</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Oficina</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> 30<br></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Estepona</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, 29680<br>Malaga, Spain<br></span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Tel: + (34) 952 897 865</span></b><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><br></span></b><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Fax: + (34) 952 897 874</span></b><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><br></span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'>E-mail: </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><a href="mailto:chris@andaluciaws.com"><b>chris@andaluciaws.com</b></a></span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><br></span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'>Web: </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><a href="http://www.andaluciaws.com/"><b>www.andaluciaws.com</b></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><br><br></span><span style='color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> owner-bc-gnso@icann.org [mailto:owner-bc-gnso@icann.org] <b>En nombre de </b>lynn@goodsecurityconsulting.com<br><b>Enviado el:</b> viernes, 25 de marzo de 2011 1:23<br><b>Para:</b> Phil Corwin<br><b>CC:</b> bc-gnso@icann.org<br><b>Asunto:</b> RE: [bc-gnso] Hackers exploit chink in Web's armor<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Thanks Phil!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>This is helpful in discussions about consumer uses of Whois data. One view is that Whois data, if accurate and reliable, could provide validation of who "owns" a website. Another view is that websites who use SSL encryption have been "validated" and consumers can see the little lock icon on the URL space. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>This article gives a good explanation on why consumers cannot rely on the SSL icon as proof that ownership of a domain name and associated website have been verified. And it emphasizes the need for consumer trust in the accuracy and ease of availability of Whois data.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Lynn<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><blockquote style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 6.0pt;margin-left:6.0pt;margin-top:5.0pt;margin-bottom:5.0pt' id=replyBlockquote><div id=wmQuoteWrapper><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>-------- Original Message --------<br>Subject: [bc-gnso] Hackers exploit chink in Web's armor<br>From: Phil Corwin <<a href="mailto:psc@vlaw-dc.com">psc@vlaw-dc.com</a>><br>Date: Thu, March 24, 2011 6:12 pm<br>To: "<a href="mailto:bc-gnso@icann.org">bc-gnso@icann.org</a>" <<a href="mailto:bc-gnso@icann.org">bc-gnso@icann.org</a>><o:p></o:p></span></p><div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>I'm not sure if there is a role for ICANN in addressing this, but it certainly appears to be a major Internet/e-commerce security issue ---<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="http://news.cnet.com/8301-31921_3-20046588-281.html?tag=nl.e703" target="_blank">http://news.cnet.com/8301-31921_3-20046588-281.html?tag=nl.e703</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>March 24, 2011 4:00 AM PDT <o:p></o:p></span></p></div><h1><span style='font-family:"Tahoma","sans-serif";color:black'>Hackers exploit chink in Web's armor<o:p></o:p></span></h1><div><p class=MsoNormal><span class=author><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>by <a href="http://www.cnet.com/profile/declan00/" target="_blank"><span style='color:#0066A0'>Declan </span></a></span></span><span class=author><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'>McCullagh</span></span><span class=author><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> and </span></span><span class=author><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="http://www.cnet.com/profile/elinormills/" target="_blank"><span style='color:#0066A0'>Elinor</span></a><a href="http://www.cnet.com/profile/elinormills/" target="_blank"> Mills</a></span></span><span class=author><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> </span></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>A long-known but little-discussed vulnerability in the modern Internet's design was highlighted yesterday by a <a href="http://news.cnet.com/8301-31921_3-20046340-281.html" target="_blank"><span style='color:#0066A0'>report</span></a> that hackers traced to Iran spoofed the encryption procedures used to secure connections to Google, Yahoo, Microsoft, and other major Web sites. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>This design, pioneered by Netscape in the early and mid-1990s, allows the creation of encrypted channels to Web sites, an important security feature typically identified by a closed lock icon in a browser. The system relies on third parties to issue so-called certificates that prove that a Web site is legitimate when making an "https://" connection. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>The problem, however, is that the list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran.png" target="_blank"><span style='text-decoration:none'><img border=0 width=270 height=73 id="_x0000_i1025" src="http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran_270x73.png" alt="Compromise related to fraudulent digital certificates is traced to IP addresses in Iran, Comodo says."></span></a><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Compromise related to fraudulent digital certificates is traced to IP addresses in Iran, Comodo says. <o:p></o:p></span></p></div><p class=MsoNormal><span class=image-credit><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>(Credit: <a href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html" target="_blank"><span style='color:#0066A0'>Comodo</span></a>)</span></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"There is this problem that exists today where there are a very large number of certificate authorities that are trusted by everyone and everything," says <a href="https://www.eff.org/about/staff/peter-eckersley" target="_blank"><span style='color:#0066A0'>Peter Eckersley</span></a>, senior staff technologist at the <a href="http://www.eff.org/" target="_blank"><span style='color:#0066A0'>Electronic Frontier Foundation</span></a> who has compiled a list of them. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>This has resulted in a bizarre situation in which companies like Etisalat, a wireless carrier in the United Arab Emirates that <a href="http://news.bbc.co.uk/2/hi/technology/8161190.stm" target="_blank"><span style='color:#0066A0'>implanted spyware</span></a> on customers' BlackBerry devices, possess the master keys that can be used to impersonate any Web site on the Internet, even the U.S. Treasury, <a href="http://BankofAmerica.com">BankofAmerica.com</a>, and <a href="http://Google.com">Google.com</a>. So do more than 100 German universities, the U.S. Department of Homeland Security, and random organizations like the Gemini Observatory, which operates a pair of 8.1-meter diameter telescopes in Hawaii and Chile. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>It's a situation that nobody would have anticipated nearly two decades ago when the cryptographic protection known as SSL (Secure Sockets Layer) began to be embedded into Web browsers. At the time, the focus was on securing the connections, not on securing the certificate authorities themselves--or limiting their numbers. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"It was the '90s," says security researcher <a href="http://dankaminsky.com/" target="_blank"><span style='color:#0066A0'>Dan </span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'>Kaminsky</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, who <a href="http://news.cnet.com/8301-10789_3-9985618-57.html" target="_blank"><span style='color:#0066A0'>discovered</span></a> a serious Domain Name System flaw in 2008. "We didn't realize how this system would grow." Today, there are now about 1,500 master keys, or signing certificates, trusted by Internet Explorer and <a href="http://www.cnet.com/firefox-3/" target="_blank"><span style='color:#0066A0'>Firefox</span></a>. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>The vulnerability of today's authentication infrastructure came to light after Comodo, a Jersey City, N.J.-based firm that issues SSL certificates, alerted Web browser makers that an unnamed European partner had its systems compromised. The attack originated from an Iranian Internet Protocol address, according to Comodo Chief Executive Melih Abdulhayoglu, who told CNET that the skill and sophistication suggested a government was behind the intrusion. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Spoofing those Web sites would allow the Iranian government to use what's known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities its citizens performed, even if Web browsers show that the connections were securely protected with SSL encryption. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>If Comodo is correct about the attack originating from Iran, it wouldn't be the first government in the region to have taken similar steps. Late last year, the Tunisian government <a href="http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/" target="_blank"><span style='color:#0066A0'>undertook</span></a> an ambitious scheme to steal an entire country's worth of Gmail, Yahoo, and Facebook passwords. It used malicious JavaScript code to siphon off unencrypted log-in credentials, which allowed government agents to infiltrate or delete protest-related discussions. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Comodo's revelation throws into sharp relief the list of flaws inherent in the current system. There is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance; Tunisia even has its own <a href="http://www.certification.tn/index.php?id=4" target="_blank"><span style='color:#0066A0'>certificate-issuing government agency</span></a>. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"These organizations act as cornerstones of security and trust on the Internet, but it seems like they're not doing basic due diligence that other organizations are expect to do, like the banks," says Mike Zusman, managing consultant at Web app security firm </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="http://intrepidusgroup.com/" target="_blank"><span style='color:#0066A0'>Intrepidus</span></a><a href="http://intrepidusgroup.com/" target="_blank"> Group</a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>. "I'm not sure what we need to do but I think it's time we start addressing the issue of trust and issues of certificate authorities potentially not living up to standards that they should be." <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Over the last few years, a handful of papers and demonstrations at hacker conferences have focused more attention on the topic. But the Comodo intrusion, which appears to be the first public evidence of an actual attack on the way the Web handles authentication, could be a catalyst for rethinking the way to handle security. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Two years ago, for instance, Zusman <a href="http://intrepidusgroup.com/insight/2009/01/nobody-is-perfect/" target="_blank"><span style='color:#0066A0'>was able to get a certificate</span></a> from Thawte, a VeriSign subsidiary, for "<a href="http://login.live.com">login.live.com</a>" just based on an e-mail address he created on the Hotmail domain. Even though it was revoked, it still worked in a Web browser during a demonstration at the Black Hat conference in Las Vegas. Comodo, too, has previously been shown to have <a href="https://blog.startcom.org/?p=145" target="_blank"><span style='color:#0066A0'>lax security standards</span></a> among its resellers as far back as December 2008. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"Remember, the only reason Iran has to go to the lengths they've gone to to get certificates is because they don't have a (certificate issuer) of their own... most countries can just generate their own," says Moxie Marlinspike, chief technology officer of mobile app developer <a href="http://www.whispersys.com/" target="_blank"><span style='color:#0066A0'>Whisper Systems</span></a>, who has discovered <a href="http://news.cnet.com/8301-27080_3-10299459-245.html" target="_blank"><span style='color:#0066A0'>serious problems</span></a> with Web authentication before. One problem, he says, is that companies that issue certificates have a strong economic incentive to make it as easy as possible to obtain them. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Another worrisome aspect is that browser makers don't always have a good way to revoke fraudulent certificates. A <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=642395" target="_blank"><span style='color:#0066A0'>discussion thread</span></a> at <a href="http://Mozilla.org">Mozilla.org</a>, makers of the Firefox browser, shows that after being alerted by Comodo, they had no process to revoke the faux certificates. Mozilla developers ended up having to write new code and test a patch, which took a few days and, even after its release, meant that only users who downloaded new versions of Firefox benefit. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Google's Chrome, on the other hand, uses a <a href="http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_17.html" target="_blank"><span style='color:#0066A0'>transparent update system</span></a> for desktop versions but not necessarily mobile ones. Microsoft <a href="http://www.microsoft.com/technet/security/advisory/2524375.mspx" target="_blank"><span style='color:#0066A0'>said yesterday</span></a> that "an update is available for all supported versions of Windows to help address this issue." <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="http://www.cl.cam.ac.uk/~rja14/" target="_blank"><span style='color:#0066A0'>Ross Anderson</span></a>, professor of security engineering at the University of Cambridge's computer laboratory, offered an anecdote in this paper (<a href="http://spw.stca.herts.ac.uk/2.pdf" target="_blank"><span style='color:#0066A0'>PDF</span></a>): "I asked a panelist from the Mozilla Foundation why, when I updated Firefox the previous day, it had put back a certificate I'd previously deleted, from an organisation associated with the Turkish military and intelligence services. The Firefox spokesman said that I couldn't remove certificates--I had to leave them in but edit them to remove their capabilities - while an outraged Turkish delegate claimed that the body in question was merely a 'research organisation.'" <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Jacob Appelbaum, a Tor Project developer who is a subject of a <a href="http://news.cnet.com/8301-31921_3-20042277-281.html" target="_blank"><span style='color:#0066A0'>legal spat</span></a> with the Justice Department over his <a href="http://news.cnet.com/8301-1009_3-20010866-83.html" target="_blank"><span style='color:#0066A0'>work with </span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'>WikiLeaks</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, says Mozilla should have warned of the vulnerability immediately and shipped Firefox 4 with a way to detect and revoke bad certificates turned on by default. (The technique is called <a href="http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol" target="_blank"><span style='color:#0066A0'>Online Certificate Status Protocol</span></a>, or OSCP). <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"Mozilla's not taking their responsibility to the Internet seriously," said Appelbaum, who wrote an <a href="https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion" target="_blank"><span style='color:#0066A0'>independent analysis</span></a> of the situation. "A Web browser isn't a toy. It's being used as a tool to overthrow governments...At the end of the day, they did not put their users first." <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Some long-term technical fixes have been proposed, with names like <a href="http://www.ietf.org/id/draft-ietf-dane-protocol-06.txt" target="_blank"><span style='color:#0066A0'>DANE</span></a>, </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="http://tools.ietf.org/html/draft-hoffman-server-has-tls-04" target="_blank"><span style='color:#0066A0'>HASTLS</span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>, </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="http://tools.ietf.org/html/draft-hallambaker-donotissue-03" target="_blank"><span style='color:#0066A0'>CAA</span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> (Comodo's Philip Hallam-Baker is a co-author), and </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="http://web.monkeysphere.info/" target="_blank"><span style='color:#0066A0'>Monkeysphere</span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>. The technology known as <a href="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" target="_blank"><span style='color:#0066A0'>Domain Name System Security Extensions</span></a>, or DNSSEC, can help. The Electronic Frontier Foundation's Eckersley, who runs the groups </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#0066A0'><a href="https://www.eff.org/observatory" target="_blank"><span style='color:#0066A0'>SSL</span></a><a href="https://www.eff.org/observatory" target="_blank"> Observatory</a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> that tracks SSL certificates, hints that he'll soon offer another proposal about how to reinforce the Web's cryptographic architecture. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>"We do in fact need a way not to trust everyone," Eckersley says. "We have 1,500 master certificates for the Web running around. That's 1,500 places that could be hacked and all of a sudden you have to scramble to dream up a solution." <o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><br><br>Read more: <a href="http://news.cnet.com/8301-31921_3-20046588-281.html#ixzz1HYctsBUi" target="_blank"><span style='color:#003399'>http://news.cnet.com/8301-31921_3-20046588-281.html#ixzz1HYctsBUi</span></a><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <o:p></o:p></span></p></div><div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>Philip S. Corwin, Founding Principal</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>Virtualaw LLC</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>1155 F Street, NW</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>Suite 1050</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>Washington, DC 20004</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>202-559-8597/Direct</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>202-559-8750/Fax</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>202-255-6172/cell</span></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><strong><i><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:navy'>"Luck is the residue of design" -- Branch Rickey</span></i></strong><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p></o:p></span></p></div></div></div></div></div></blockquote></div></body></html>