Jon Snader wrote: > I don't understand this. Let's suppose, for the > sake of argument, that MitM is impossible. It's > still trivially easy to make a fake site and harvest > sensitive information. If we assume (perhaps erroneously) > that all but the most naive user will check that they > are talking to a ``secure site'' before they type in > that credit card number, doesn't the cert provide assurance > that you're talking to whom you think you are?
It's not *that* difficult to obtain a certificate for something involving a well-known brand. The certificate generation process appears to be fully automated, and we know that it has already failed. Furthermore, the certificate says nothing about the contents of the site. You can register something like REFRESH-ACCOUNT.COM and collect passwords using an Ebay or AOL imitation, and none of the SSL CAs will refuse to certify your key material for use with REFRESH-ACCOUNT.COM. So why do we see so little fraud involving HTTPS sites? I'd guess that's because the current social engineering tactics are effective without the "https://"; mark. Most users look for assurances of their privacy, and if the web site says "128 bit encrypted", they feel safe, indepedent of the actual transport channel. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
