[Cryptography] So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Thu Feb 9 13:50:32 EST 2017


On 09-Feb-17 1:59 AM, Salz, Rich wrote:
> Your proposal does not seem useful to me. Phishing, as I understand it, is when you convince the victim to click on a bogus site.

Yes. The research was anti-counterfeiting research.

> But I can register fidelity.biz, and get a domain-validated certificate for that domain.  How will your system prevent Joe from being phished to try to login, give their name and password to my site, when they really should have gone to fidelity.com?
After your browser verifies the digital signature on a TLS certificate 
it creates fig 1 with the picture from your local hard drive and Bob, 
Trent etc. from the TLS certificate. Hence phishers can only get an 
incorrect/fake name for Bob by tricking a Certificate Authority (CA), or 
hacking a CA. Once people are using fig 1 as a dedicated login screen 
it's up to the CA to ensure correct business names are inside TLS 
certificates.



More information about the cryptography mailing list