browser vendors and CAs agreeing on high-assurance certificates
Adam Shostack
adam at homeport.org
Sun Dec 18 14:09:05 EST 2005
Higher assurance means that when the CA gets duped, it's even better
for the phishers, because that nice, reassuring green bar will be
there.
To preserve the internet channel as a means of communicating with
customers, we need to move to bookmarks, not email with clickable
URLs. That method is a black hole.
(I've blogged somewhat verbosely about this too, if anyone cares:
http://www.emergentchaos.com/archives/002104.html
http://www.emergentchaos.com/archives/002060.html
On Sun, Dec 18, 2005 at 10:06:10AM -0800, James A. Donald wrote:
| --
| From: "Steven M. Bellovin"
| <smb at cs.columbia.edu>
| > The very first phishing attack I ever heard of was for
| > paypa1.com. As I recall, they did have a certificate.
|
| And would they not have had a high assurance
| certificate, since presumably they really were
| papypa1.com?
|
| Even if the vendors do implement a policy that all new
| urls must be significantly different from known high
| value urls, which is not their stated policy, this is
| not going to help much with such high value urls as:
| "https://lb22.resources.hewitt.com"
|
| Proving true names is not much help, because there are
| too many names.
|
| --digsig
| James A. Donald
| 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
| CS4AkcyJ2ZhuZtOouD5yH0AnqodmyrqySuYZgRXQ
| 4Y1XkuPvMRrV9M2owdKcEoRRGZzIuxUqEcgxLcPX7
|
|
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list