A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Feb 10 02:59:15 EST 2005
Steve, my point was not the trivial fact that TrustBar would not display
the homograph; suppose it did... even then, the user is _asked_ about
the certificate, since it was signed by an unusual CA that the user did
not specify as `to be trusted always`; this should certainly be a good
warning for most users (and of course, a good situation to check for
tricks such as homographs...).
And even if some user allowed this CA as `always trusted`, there is
still a fair chance he'll notice that the brand of CA on his bank's site
has suddenly changed... which may also raise the alarm.
Best, Amir Herzberg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list