<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-forward-container"><br>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08-Feb-17 8:55 AM, Bill Cox wrote:<br>
</div>
<blockquote
cite="mid:CAOLP8p7Lq0j6yDfuiMN3pn_NCeNZ_eA8Wr=ZCpsOZx6=HsTsmA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
<div>Well... I think I figured out why that wont work
well. If the browser displays the same thing for every
site, as some sort of side-bar or something, then
phishers can convince the browser to show it on their
phishing site, and only a slight difference in the URL
will alert the user about the attack.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>Your browser will only show it after verifying a TLS
certificate's digital signature. Hence the phishers need to hack
a certificate authority to get fig 1 up.<br>
</p>
<p>Sure phishers could buy a TLS certificate but its up to the
certificate authorities not to sell certificates with fake
identities to criminals. And yes, I know this has happened. I
don't have the references to hand.<br>
</p>
</div>
</body>
</html>