[Cryptography] Fwd: Re: [FORGED] Re: So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Wed Feb 8 11:20:29 EST 2017


On 08-Feb-17 8:55 AM, Bill Cox wrote:
>
> Well... I think I figured out why that wont work well.  If the browser 
> displays the same thing for every site, as some sort of side-bar or 
> something, then phishers can convince the browser to show it on their 
> phishing site, and only a slight difference in the URL will alert the 
> user about the attack.
>

Your browser will only show it after verifying a TLS certificate's 
digital signature. Hence the phishers need to hack a certificate 
authority to get fig 1 up.

Sure phishers could buy a TLS certificate but its up to the certificate 
authorities not to sell certificates with fake identities to criminals. 
And yes, I know this has happened. I don't have the references to hand.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/fc84c2b7/attachment.html>


More information about the cryptography mailing list