Duane wrote:
HJ wrote:
Another problem is that Gerv paper only covers SSL protected sites, but
most recent phishing attacks (example: http://www.rceasy.com/paypal/ )
do not even use SSL protection, so I might still be fooled, without
being notified.
Out of all the spam emails that seem to by pass my filtering rules, I'm
yet to see any actually using SSL, most try to hide the real URL with
html, but for the most part a quick most over shows the real non-SSL URL...
I saw one about a year ago. I followed it all
the way through, trying to figure out how
they'd "stolen" the cert. It took me about
10 mins to work it out, and it was a real
"doh!" moment.
Basically, they'd just got a cert issued in
some random name like "secure-payments.com"
and used that.
You won't ever see much SSL activity on phishing
until the browser forces the user to start looking
for SSL. That's the beef with the little padlock...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
