[16878] in cryptography@c2.net mail archive
Re: A cool demo of how to spoof sites (also shows how TrustBar
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Thu Feb 10 13:35:55 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 10 Feb 2005 09:59:15 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <20050209191228.CCC333C024F@berkshire.machshav.com>
Steve, my point was not the trivial fact that TrustBar would not display
the homograph; suppose it did... even then, the user is _asked_ about
the certificate, since it was signed by an unusual CA that the user did
not specify as `to be trusted always`; this should certainly be a good
warning for most users (and of course, a good situation to check for
tricks such as homographs...).
And even if some user allowed this CA as `always trusted`, there is
still a fair chance he'll notice that the brand of CA on his bank's site
has suddenly changed... which may also raise the alarm.
Best, Amir Herzberg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
