James A. Donald wrote:
> How many attacks have there been based on automatic trust of
> verisign's feckless ID checking?   Not many, possibly none.
I imagine if there exists a https://www.go1d.com/ site for purposes of
fraud, it won't be using a self-signed cert. Of course it is possible that
the attackers are using http:// instead, but more people are likely to
notice that.

> That is not the weak point, not the point where the attacks
> occur.   If the browser was set to accept self signed
> certificates by default, it would make little difference to
> security.
I don't think any currently can be - but regardless, an attacker wishing to
run a fraudulent https site must have a certificate acceptable to the
majority of browsers without changing settings - That currently is the big
name CAs and nobody else.

Reply via email to