On Jan 26, 2009, at 11:13 PM, Ben Laurie wrote:
On Sun, Jan 25, 2009 at 11:04 PM, Jerry Leichter <[email protected]>
wrote:
I just received a phishing email, allegedly from HSBC:
Dear HSBC Member,
Due to the high number of fraud attempts and phishing scams, it
has been
decided to
implement EV SSL Certification on this Internet Banking website.
The use of EV SSL certification works with high security Web
browsers to
clearly
identify whether the site belongs to the company or is another site
imitating that
company's site....
(I hope I haven't quoted enough to trigger someone's spam detectors!)
Needless to say, the message goes on to suggest clicking on a link to
update your account.
So did the link have a EV cert?
I didn't try it! While Safari on a Mac has been reasonably secure,
it's not been *entirely* immune to attacks, and it didn't seem like a
good idea to tempt fate.
It might be useful to put together a special-purpose HTTPS client
which would initiate a connection and tell you about the cert
returned, then exit. Absent a nasty bug in SSL itself, that should be
pretty safe. (The client might want to go through TOR to avoid adding
your IP address to some spammer database of "IP's that follow links
found in spam", though in practice I doubt that matters much - there
are enough likely victims out there that such a database probably
wouldn't be worth the bother.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
