In message <[EMAIL PROTECTED]>, EKR writes:
> "Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> > > Now, this does require that the CAs that your browser trusts follow
> > > the Common Name=domain name convention, but that's just a special
> > > case of trusting your CAs.
> >
> > The attacker could also present a certficate from a fake CA with an
> > appropriate name -- say, "Netscape Security Services", or something that
> > plays on the site name they're trying to impersonate -- "Amazon.Com Encrypt
> ion
> > Certification Center" if someone is trying to reach Amazon.com or some such
> .
> Right. In which case Netscape brings up a different dialog which
> says that the server certificate is signed by an unrecognized
> CA. Again, you can proceed, but it's not like it's automatic.
It's clearly not automatic, but I suspect it would work....
