browser vendors and CAs agreeing on high-assurance certificates
Damien Miller
djm at mindrot.org
Sun Dec 18 16:12:11 EST 2005
James A. Donald wrote:
> --
> Has anyone been attacked through a certificate that
> would not have been issued under stricter security? The
> article does not mention any such attacks, nor have I
> ever heard of such an attack.
How much money does a phishing site make before it is forced to close?
(and change its cert) Would it be greater or less than the cost of a HA
cert?
If browser vendors make UI changes to indicate the presence of a HA cert
to users (some are apparently considering changing the URL bar green),
and users trust HA certs more as a result, then that increases their
value when used in a scam.
It isn't too much of a stretch of the imagination that phishers would go
to the trouble of registering companies and forging enough of financial
record to meet the higher assurance standards if it would make users
more credulous of their site.
-d
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list