A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

Adam Fields cryptography23094893 at aquick.org
Thu Feb 10 19:16:50 EST 2005


On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint.  My
> response was that I was astonished he found someone who knew what
> he was talking about.
[...]

I wrote on this list, in June 2003, the last time we had this
conversation (regarding a similar plugin called SSLBar):

"Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero."

Which bank was that person you mention talking to?


-- 
				- Adam

-----
** My new project --> http://www.visiognomy.com/daily
   **  Flagship blog --> http://www.aquick.org/blog
Hire me: [ http://www.adamfields.com/Adam_Fields_Resume.htm ]
Links:   [ http://del.icio.us/fields ]
Photos:  [ http://www.aquick.org/photoblog ]



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list