PKI too confusing to prevent phishing, part 28
Bill Frantz
frantz at pwpconsult.com
Tue Sep 27 01:21:02 EDT 2005
On 9/25/05, paul.hoffman at vpnc.org (Paul Hoffman) wrote:
><http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010>
>
>Summary: some phishes are going to SSL-secured sites that offer up
>their own self-signed cert. Users see the warning and say "I've seen
>that dialog box before, no problem", and accept the cert. From that
>point on, the all-important lock is showing so they feel safe.
One important point is that the dialog box will appear the same, even if
the self-signed cert is signed by a different key. It has no memory of
previously accessed sites. It takes something like the petname or
trustbar tools to provide the memory that make self-signed certs like
SSH keys.
Cheers - Bill
---------------------------------------------------------------------
Bill Frantz | The first thing you need | Periwinkle
(408)356-8506 | when using a perimeter | 16345 Englewood Ave
www.pwpconsult.com | defense is a perimeter. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list