A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Adam Fields
cryptography23094893 at aquick.org
Thu Feb 10 19:16:50 EST 2005
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint. My
> response was that I was astonished he found someone who knew what
> he was talking about.
[...]
I wrote on this list, in June 2003, the last time we had this
conversation (regarding a similar plugin called SSLBar):
"Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero."
Which bank was that person you mention talking to?
--
- Adam
-----
** My new project --> http://www.visiognomy.com/daily
** Flagship blog --> http://www.aquick.org/blog
Hire me: [ http://www.adamfields.com/Adam_Fields_Resume.htm ]
Links: [ http://del.icio.us/fields ]
Photos: [ http://www.aquick.org/photoblog ]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list