Nelson B <[EMAIL PROTECTED]> writes: >As reported in >http://www.informationweek.com/shared/printableArticle.jhtml?articleID=171200010 >phishers are now using self-signed certs on their phony web sites, to make >the lock icons appear for their web sites, to give the victims a false sense >of security.
>Of course, the victims must first dismiss a large warnign dialog about >the cert coming from an unknown issuer. But according to the article, >many users dismiss that dialog without any understanding of what it means. No-one's ever done a rigorous study of this, but there is plenty of anecdotal evidence (e.g. the site that had a large red cross and "Invalid Certificate" on it that users had to click past before making multi-thousand-dollar payments, the bank site with an invalid cert that didn't stop 299 of 300 users, etc etc) that cert warnings are almost completely ineffective in stopping users from going to a web page that they want to visit. That's why the best strategy for this is to treat a cert validation failure in the same way as a network error: Users know how to handle this, and it puts pressure on site admins to get things right. Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
