[Cryptography] Encryption opinion

Stephan Neuhaus stephan.neuhaus at tik.ee.ethz.ch
Mon Aug 25 02:31:52 EDT 2014


On 2014-08-24, 13:40, ianG wrote:
> The bad things that seem to happen at the user level rely on the split
> between HTTP and HTTPS, in that users cannot tell the difference and get
> phished.

I would opine that even if users could tell the difference, they'd still
get phished.  HTTPS doesn't protect against phishing; if your browser is
talking to a phishing site, and if they have a genuine certificate, the
certificate will happily (and correctly) attest to the authenticity of
that phishing site.

Pervasive HTTPS would indeed be a (part of the) solution to the problem,
if only because it would no longer be possible to make the stupid
decision that a site with a self-signed certificate (that fails to
verify because the browser doesn't have the issuer's cert in its cache
of trusted roots) is somehow less secure than a site with no certificate
at all.

Fun,

Stephan


More information about the cryptography mailing list