Nelson B <[EMAIL PROTECTED]> writes:

>As reported in
>http://www.informationweek.com/shared/printableArticle.jhtml?articleID=171200010
>phishers are now using self-signed certs on their phony web sites, to make
>the lock icons appear for their web sites, to give the victims a false sense
>of security.

>Of course, the victims must first dismiss a large warnign dialog about
>the cert coming from an unknown issuer.  But according to the article,
>many users dismiss that dialog without any understanding of what it means.

No-one's ever done a rigorous study of this, but there is plenty of anecdotal
evidence (e.g. the site that had a large red cross and "Invalid Certificate"
on it that users had to click past before making multi-thousand-dollar
payments, the bank site with an invalid cert that didn't stop 299 of 300
users, etc etc) that cert warnings are almost completely ineffective in
stopping users from going to a web page that they want to visit.  That's why
the best strategy for this is to treat a cert validation failure in the same
way as a network error: Users know how to handle this, and it puts pressure on
site admins to get things right.

Peter.

_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to