[19310] in cryptography@c2.net mail archive
Re: browser vendors and CAs agreeing on high-assurance certificates
daemon@ATHENA.MIT.EDU (Damien Miller)
Sun Dec 18 17:48:57 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 19 Dec 2005 08:12:11 +1100
From: Damien Miller <djm@mindrot.org>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com,
"Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <43A5302F.24812.6E83E65@localhost>
James A. Donald wrote:
> --
> Has anyone been attacked through a certificate that
> would not have been issued under stricter security? The
> article does not mention any such attacks, nor have I
> ever heard of such an attack.
How much money does a phishing site make before it is forced to close?
(and change its cert) Would it be greater or less than the cost of a HA
cert?
If browser vendors make UI changes to indicate the presence of a HA cert
to users (some are apparently considering changing the URL bar green),
and users trust HA certs more as a result, then that increases their
value when used in a scam.
It isn't too much of a stretch of the imagination that phishers would go
to the trouble of registering companies and forging enough of financial
record to meet the higher assurance standards if it would make users
more credulous of their site.
-d
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
