[Cryptography] When HTTP is outlawed, the outlaws will use HTTPS
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Dec 8 21:20:31 EST 2017
What happens when you try and force everyone off HTTP onto HTTPS? Everyone,
including the bad guys, end up on HTTPS:
https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains
In particular, "the rate at which phishing sites are hosted on HTTPS pages is
rising significantly faster than overall HTTPS adoption".
What's even worse is that since we've been telling users for years that if
it's on HTTP it's safe, it's actually making the phishing more effective.
Presumably the browser vendors' response will be to derate HTTPS so that it's
more like the old HTTP, and make EV the only "true" HTTPS. Then everyone will
have to move to EV, and the whole dance will begin again. The term "da capo
al segno" [0] springs irresistibly to mind.
Peter.
[1] That should probably be "firmare", but it's less of a bad pun that way.
More information about the cryptography
mailing list