Eddy Nigg (StartCom Ltd.) wrote: > That's perhaps a question for the EV/Browser Forum... but since the > subscriber is supposed to get validated extensively, he would not dare > to try something like this.
This merely raises the cost of doing business for "the bad guys", it doesn't prevent or deter things, since ID theft and ID fraud and plain old fake ID documents are rampant, basing a strong system around a weak one (ID documents) won't fix the problem, just cull the stupid. Although as you pointed out, most phishing/fraud attacks don't even bother with SSL certificates so this isn't going to prevent much until the population can be educated (good luck with that) or shown how to tell better (pet name tool bars etc) that something is up with the site they are visiting. Attacks, just like water, will always take the easiest path. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
