[13576] in cryptography@c2.net mail archive
Re: An attack on paypal
daemon@ATHENA.MIT.EDU (Dave Howe)
Wed Jun 11 10:46:13 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Dave Howe" <DaveHowe@gmx.co.uk>
To: "Email List: Cypherpunks" <cypherpunks@lne.com>,
"Email List: Cryptography" <cryptography@metzdowd.com>
Date: Wed, 11 Jun 2003 15:00:07 +0100
James A. Donald wrote:
> How many attacks have there been based on automatic trust of
> verisign's feckless ID checking? Not many, possibly none.
I imagine if there exists a https://www.go1d.com/ site for purposes of
fraud, it won't be using a self-signed cert. Of course it is possible that
the attackers are using http:// instead, but more people are likely to
notice that.
> That is not the weak point, not the point where the attacks
> occur. If the browser was set to accept self signed
> certificates by default, it would make little difference to
> security.
I don't think any currently can be - but regardless, an attacker wishing to
run a fraudulent https site must have a certificate acceptable to the
majority of browsers without changing settings - That currently is the big
name CAs and nobody else.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
