[cap-talk] SSL protection racket - Petname Tool
James A. Donald
jamesd at echeque.com
Fri Feb 29 01:31:31 EST 2008
Sam Mason wrote:
> The CA *should* be responsible for checking that if
> you're asking for a cert for citi.com you really are
> Citibank and not someone about to doing some phishing.
This does not actually work, because of the cryptic urls
that banks wind up using. Thus for example, Mountain
credit was phished by a guy who obtained control of an
legitimate mountain something or other web site, with an
entirely legitimate mountain something or other SSL
certificate.
The namespace is too crowded for a true names approach
to work. Businesses that might be phished find they have
to register every related name as well, and they
invariably miss a few, or some are owned by legitimate
businesses that might quietly go out of business.
More information about the cap-talk
mailing list