[Cryptography] Encryption opinion
Stephan Neuhaus
stephan.neuhaus at tik.ee.ethz.ch
Mon Aug 25 02:31:52 EDT 2014
On 2014-08-24, 13:40, ianG wrote:
> The bad things that seem to happen at the user level rely on the split
> between HTTP and HTTPS, in that users cannot tell the difference and get
> phished.
I would opine that even if users could tell the difference, they'd still
get phished. HTTPS doesn't protect against phishing; if your browser is
talking to a phishing site, and if they have a genuine certificate, the
certificate will happily (and correctly) attest to the authenticity of
that phishing site.
Pervasive HTTPS would indeed be a (part of the) solution to the problem,
if only because it would no longer be possible to make the stupid
decision that a site with a self-signed certificate (that fails to
verify because the browser doesn't have the issuer's cert in its cache
of trusted roots) is somehow less secure than a site with no certificate
at all.
Fun,
Stephan
More information about the cryptography
mailing list