[16887] in cryptography@c2.net mail archive
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
daemon@ATHENA.MIT.EDU (Adam Fields)
Wed Feb 16 07:49:22 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 10 Feb 2005 19:16:50 -0500
From: Adam Fields <cryptography23094893@aquick.org>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Amir Herzberg <herzbea@macs.biu.ac.il>,
Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <20050210232446.C8FAA3C025A@berkshire.machshav.com>
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint. My
> response was that I was astonished he found someone who knew what
> he was talking about.
[...]
I wrote on this list, in June 2003, the last time we had this
conversation (regarding a similar plugin called SSLBar):
"Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero."
Which bank was that person you mention talking to?
--
- Adam
-----
** My new project --> http://www.visiognomy.com/daily
** Flagship blog --> http://www.aquick.org/blog
Hire me: [ http://www.adamfields.com/Adam_Fields_Resume.htm ]
Links: [ http://del.icio.us/fields ]
Photos: [ http://www.aquick.org/photoblog ]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
