[18558] in cryptography@c2.net mail archive
PKI too confusing to prevent phishing, part 28
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Sun Sep 25 21:44:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 25 Sep 2005 14:26:55 -0700
To: cryptography@metzdowd.com
From: Paul Hoffman <paul.hoffman@vpnc.org>
<http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010>
Summary: some phishes are going to SSL-secured sites that offer up
their own self-signed cert. Users see the warning and say "I've seen
that dialog box before, no problem", and accept the cert. From that
point on, the all-important lock is showing so they feel safe.
Although the company reporting this, SurfControl, is known for
alarmism, this is a completely predictable situation. If users can
hold one bit and the bit is "look for the lock", then phishers will
do anything to get the lock up there.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
