The real problem that https has conspicuously failed to fix

John R. Levine johnl at iecc.com
Mon Jun 9 21:52:08 EDT 2003


> I keep posting "you cannot do this using https", and people keep
> replying "yes you can"

I think there's two separate problems here.  One is domain squatting.
I've seen lots of phishes from domains like paypal-confirm.com (which
is registered to someone in Pakistan.)  It is truly pitiful that with
all of the anti-squatting nonsense involved with ICANN and their UDRP,
and despite the cases cases we've read about with trademark owners
suing everyone who registers "bigcorp-sucks.com", people still
register deliberately confusing domain names in bad faith for fraudulent
purposes and get away with it.

The other issue, as someone else noted, is that html, like just about
everything else on the net, wasn't designed to be secure and unless
you're going to go reading the source code of every form you use, you
can't tell where your information is going.

I can't see that either of those issues can be addressed by
cryptography.  Crypto lets someone say "Hi!  I absolutely definitely
have a name somewhat like the name of a large familiar organization,
and I'd like to steal your data!" and lots of users will say "OK,
fine, whatever."

-- 
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
johnl at iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, 
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list