WYTM?

Florian Weimer fw at deneb.enyo.de
Thu Oct 16 06:45:06 EDT 2003


Jon Snader wrote:

> I don't understand this.  Let's suppose, for the
> sake of argument, that MitM is impossible.  It's
> still trivially easy to make a fake site and harvest
> sensitive information.  If we assume (perhaps erroneously)
> that all but the most naive user will check that they
> are talking to a ``secure site'' before they type in
> that credit card number, doesn't the cert provide assurance
> that you're talking to whom you think you are?

It's not *that* difficult to obtain a certificate for something
involving a well-known brand.  The certificate generation process
appears to be fully automated, and we know that it has already failed.
Furthermore, the certificate says nothing about the contents of the
site.  You can register something like REFRESH-ACCOUNT.COM and collect
passwords using an Ebay or AOL imitation, and none of the SSL CAs will
refuse to certify your key material for use with REFRESH-ACCOUNT.COM.

So why do we see so little fraud involving HTTPS sites?  I'd guess
that's because the current social engineering tactics are effective
without the "https://" mark.  Most users look for assurances of their
privacy, and if the web site says "128 bit encrypted", they feel safe,
indepedent of the actual transport channel.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list