What EV certs are good for
Jerry Leichter
leichter at lrw.com
Tue Jan 27 09:04:45 EST 2009
On Jan 26, 2009, at 11:13 PM, Ben Laurie wrote:
> On Sun, Jan 25, 2009 at 11:04 PM, Jerry Leichter <leichter at lrw.com>
> wrote:
>> I just received a phishing email, allegedly from HSBC:
>>
>> Dear HSBC Member,
>>
>> Due to the high number of fraud attempts and phishing scams, it
>> has been
>> decided to
>> implement EV SSL Certification on this Internet Banking website.
>>
>> The use of EV SSL certification works with high security Web
>> browsers to
>> clearly
>> identify whether the site belongs to the company or is another site
>> imitating that
>> company's site....
>>
>> (I hope I haven't quoted enough to trigger someone's spam detectors!)
>> Needless to say, the message goes on to suggest clicking on a link to
>> update your account.
>
> So did the link have a EV cert?
I didn't try it! While Safari on a Mac has been reasonably secure,
it's not been *entirely* immune to attacks, and it didn't seem like a
good idea to tempt fate.
It might be useful to put together a special-purpose HTTPS client
which would initiate a connection and tell you about the cert
returned, then exit. Absent a nasty bug in SSL itself, that should be
pretty safe. (The client might want to go through TOR to avoid adding
your IP address to some spammer database of "IP's that follow links
found in spam", though in practice I doubt that matters much - there
are enough likely victims out there that such a database probably
wouldn't be worth the bother.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list