[18573] in cryptography@c2.net mail archive
Re: PKI too confusing to prevent phishing, part 28
daemon@ATHENA.MIT.EDU (Bill Frantz)
Wed Sep 28 00:41:26 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 26 Sep 2005 22:21:02 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
In-Reply-To: <p06230916bf5cc5955004@[10.20.30.249]>
On 9/25/05, paul.hoffman@vpnc.org (Paul Hoffman) wrote:
><http://www.informationweek.com/story/showArticle.jhtml?articleID=3D171200=
010>
>
>Summary: some phishes are going to SSL-secured sites that offer up=20
>their own self-signed cert. Users see the warning and say "I've seen=20
>that dialog box before, no problem", and accept the cert. From that=20
>point on, the all-important lock is showing so they feel safe.
One important point is that the dialog box will appear the same, even if
the self-signed cert is signed by a different key. It has no memory of
previously accessed sites. It takes something like the petname or
trustbar tools to provide the memory that make self-signed certs like
SSH keys.
Cheers - Bill
---------------------------------------------------------------------
Bill Frantz | The first thing you need | Periwinkle=20
(408)356-8506 | when using a perimeter | 16345 Englewood Ave
www.pwpconsult.com | defense is a perimeter. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
