Fixing SSL (was Re: Dutch Transport Card Broken)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Feb 21 20:39:02 EST 2008
Thierry Moreau <thierry.moreau at connotech.com> writes:
>At first, it seems neat. But then, looking at how it works in practice: the
>client receives an e-mail notification soliciting him to click on a HTML link
>and then enroll for a security certificate, the client is solicited exactly
>like a phishing criminal would do,
Correction, "exactly like phishing criminals are actively doing right now"
(hat tip to Don Jackson of SecureWorks who's investigated and documented this
practice). Given the almost complete failure of client certs in the
marketplace, I found it most amusing that the current active users of "client
certs" are phishers. It reminded me of spammers and SPF.
> Title: Sender driven certification enrollment system
> Document Type and Number: United States Patent 6651166
> Link to this page: http://www.freepatentsonline.com/6651166.html
>
> Filing Date: 04/09/1998
> Publication Date: 11/18/2003
Thus postdating Microsoft's CertEnroll/Certenr3/Xenroll ActiveX control by
several years. The only difference here is that the user generates the cert
directly rather than involving a CA.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list