AmEx unprotected login site
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Jun 9 06:31:26 EDT 2005
Few comments on what Ivars Suba wrote:
> How to fight against phishing in organization enviroment?
> Quite easy- put SSL termination Proxy between client browser and SSL
> server:
Sure, but:
1. This doesn't have any effect on non-SSL-protected sites (e.g.
AmEx,... see `Hall of Shame`). And of course assumes users will notice
the use of non-SSL-site...
2. This assumes that the problem is `untrusted site certificates`. Is
it? Which CAs would you NOT accept anymore? In particular, would you now
reject all `domain validated certificates` (about 25% of SSL sites I've
heard)?? Much better imho to give the information to the user, possibly
warning against (or blocking) certs from a CA you know to be bad.
3. This solution takes advantage of the fact that users don't have any
idea which CA they trust... which is true but very bad, breaking the
trust model. I think it is better to make the CA visible to the user
(but in a way users can understand - I believe we have that with TrustBar).
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list