Duane wrote:
Phishing Scams Incorporate SSL Certificates
Posted by timothy on Tuesday March 09, @11:54PM
from the flashing-a-badge dept.
dettifoss writes "Netcraft reports: `Internet "phishing" scams are
incorporating the use of SSL certificates in their efforts to trick
users into divulging sensitive login information for financial
accounts.' Perhaps more disturbingly: `Scammers can also configure their
web server so that deceptive SSL certificates won't trigger an alert in
the user's browser. "One of the SSL encoding methods is 'plain text',"
Neal Krawetz from Secure Science Corporation noted in the SANS post on
the issue. "Most SSL servers have this disabled by default, but most
browsers support it. When plain text is used, no central certificate
authority is consulted and the user never sees a message asking if a
certificate should be accepted.'"
That statement about plain text mode that doesn't test certificates is
utter nonsense. It's causing Fear Uncertainty and Doubt (FUD).
It's NONSENSE.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
