PKI too confusing to prevent phishing, part 28

Bill Frantz frantz at
Tue Sep 27 01:21:02 EDT 2005

On 9/25/05, paul.hoffman at (Paul Hoffman) wrote:

>Summary: some phishes are going to SSL-secured sites that offer up 
>their own self-signed cert. Users see the warning and say "I've seen 
>that dialog box before, no problem", and accept the cert. From that 
>point on, the all-important lock is showing so they feel safe.

One important point is that the dialog box will appear the same, even if
the self-signed cert is signed by a different key.  It has no memory of
previously accessed sites.  It takes something like the petname or
trustbar tools to provide the memory that make self-signed certs like
SSH keys.

Cheers - Bill

Bill Frantz        | The first thing you need   | Periwinkle 
(408)356-8506      | when using a perimeter     | 16345 Englewood Ave | defense is a perimeter.    | Los Gatos, CA 95032

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list