A mighty fortress is our PKI, Part II
Bill Stewart
bill.stewart at pobox.com
Fri Jul 30 18:08:22 EDT 2010
At 07:16 AM 7/28/2010, Ben Laurie wrote:
>SSH does appear to have got away without revocation, though the nature
>of the system is s.t. if I really wanted to revoke I could almost
>always contact the users and tell them in person. This doesn't scale
>very well to SSL-style systems.
Unfortunately, there _are_ ways that it can scale adequately.
Bank of America has ~50 million customers,
so J. Random Spammer sends out 500 million emails saying
"Bank of America is updating our security procedures,
please click on the following link to update your browser."
It's more efficient for BofA to send out the message themselves,
only to actual subscribers, with the actual keys,
helping to train them to accept phishing mail in the process,
but apparently even doing it the hard way scales well enough for some
people to make money.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list