Few comments on what Ivars Suba wrote:
How to fight against phishing in organization enviroment?
Quite easy- put SSL termination Proxy between client browser and SSL
server:
Sure, but:
1. This doesn't have any effect on non-SSL-protected sites (e.g. AmEx,... see `Hall of Shame`). And of course assumes users will notice the use of non-SSL-site...

2. This assumes that the problem is `untrusted site certificates`. Is it? Which CAs would you NOT accept anymore? In particular, would you now reject all `domain validated certificates` (about 25% of SSL sites I've heard)?? Much better imho to give the information to the user, possibly warning against (or blocking) certs from a CA you know to be bad.

3. This solution takes advantage of the fact that users don't have any idea which CA they trust... which is true but very bad, breaking the trust model. I think it is better to make the CA visible to the user (but in a way users can understand - I believe we have that with TrustBar).

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to