James A. Donald [EMAIL PROTECTED] writes:
But is what they are doing wrong?
The users? No, not really, in that given the extensive conditioning that
they've been subject to, they're doing the logical thing, which is not paying
any attention to certificates. That's why I've been taking the
On 12/23/05, Peter Gutmann [EMAIL PROTECTED] wrote:
PKI in browsers has had 10
years to start working and has failed completely, how many more years are we
going to keep diligently polishing away before we start looking at alternative
approaches?
There have been several long threads over on
--
Peter Gutmann
In fact the real situation is even worse than this.
Although there has been plenty of anecdotal evidence
of the ineffectiveness of SSL certificates over the
years, it wasn.t until mid-2005 (ten years after
their introduction) that a rigorous study of their
On Sun, Dec 18, 2005 at 09:47:27AM -0800, James A. Donald wrote:
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
Ought we forget that two such
James A. Donald [EMAIL PROTECTED] writes:
If no attacks, this is just an excuse for higher priced holy water, an
attempt to alter the Browser interface to increase revenue, not increase
security - to solve the CA's problem, not solve the user's problem.
That's a somewhat cynical view :-) of
http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html?tag=st.rn
The article is a bit long-winded and short on details, but the basic
message is simple: too many CAs have engaged in a price- and
cost-driven race to the bottom; there are thus too many certificates
being
Steven M. Bellovin wrote:
The article is a bit long-winded and short on details, but the basic
message is simple: too many CAs have engaged in a price- and
cost-driven race to the bottom; there are thus too many certificates
being issued that aren't really trustworthy. A group of CAs and
--
From: Steven M. Bellovin
[EMAIL PROTECTED]
http://news.com.com/Browsers+to+get+sturdier+padlocks/
2100-1029_3-5989 633.html?tag=st.rn
The article is a bit long-winded and short on details,
Typical marketing bullshit.
but the basic message is simple: too many CAs
In message [EMAIL PROTECTED], James A. Donald writes:
--
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
If no attacks, this is just an excuse
--
From: Steven M. Bellovin
[EMAIL PROTECTED]
The very first phishing attack I ever heard of was for
paypa1.com. As I recall, they did have a certificate.
And would they not have had a high assurance
certificate, since presumably they really were
papypa1.com?
Even if the
Higher assurance means that when the CA gets duped, it's even better
for the phishers, because that nice, reassuring green bar will be
there.
To preserve the internet channel as a means of communicating with
customers, we need to move to bookmarks, not email with clickable
URLs. That method is a
On 12/18/05, James A. Donald [EMAIL PROTECTED] wrote:
Even if the vendors do implement a policy that all new
urls must be significantly different from known high
value urls, which is not their stated policy, this is
not going to help much with such high value urls as:
David Mercer wrote:
Holy water indeed! As at least someone on this list doesn't seem to
see that there is a 'too many true names' problem, here are some
examples from the ssl sites I use (almost) daily. Second level
domains changed to protect the guilty (and url's chopped for safety):
part
James A. Donald wrote:
--
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
How much money does a phishing site make before it is forced to
14 matches
Mail list logo