browser vendors and CAs agreeing on high-assurance certificates
James A. Donald
jamesd at echeque.com
Sun Dec 18 13:06:10 EST 2005
--
From: "Steven M. Bellovin"
<smb at cs.columbia.edu>
> The very first phishing attack I ever heard of was for
> paypa1.com. As I recall, they did have a certificate.
And would they not have had a high assurance
certificate, since presumably they really were
papypa1.com?
Even if the vendors do implement a policy that all new
urls must be significantly different from known high
value urls, which is not their stated policy, this is
not going to help much with such high value urls as:
"https://lb22.resources.hewitt.com"
Proving true names is not much help, because there are
too many names.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
CS4AkcyJ2ZhuZtOouD5yH0AnqodmyrqySuYZgRXQ
4Y1XkuPvMRrV9M2owdKcEoRRGZzIuxUqEcgxLcPX7
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list