PKI too confusing to prevent phishing, part 28
Paul Hoffman
paul.hoffman at vpnc.org
Sun Sep 25 17:26:55 EDT 2005
<http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010>
Summary: some phishes are going to SSL-secured sites that offer up
their own self-signed cert. Users see the warning and say "I've seen
that dialog box before, no problem", and accept the cert. From that
point on, the all-important lock is showing so they feel safe.
Although the company reporting this, SurfControl, is known for
alarmism, this is a completely predictable situation. If users can
hold one bit and the bit is "look for the lock", then phishers will
do anything to get the lock up there.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list