On 02/24/2009 02:35 AM, Ian G:
The point that is made is that the "positive response" is so weak that it doesn't support the overall effect; the attacker just prefers to trick the user using HTTP and some favicons or other simple symbols. And (so the author claims) gets away with it easily enough, because there is no "positive response" that is worth much these days.
I agree that the positive / versus negative indicators or not favorable, specially for regular SSL. We had "fierce" fights on this subject here and at the bugs...
...however I must correct here some impression which seems to have taken over the minds because of the way FF3 handles SSL errors, which however is absolutely not correct.
I remember when we discussed the adoption of EV here, that I pointed out and could reasonable prove that SSL certs were and are not part of phishing attacks - meaning that the vast majority of all known phishing sites never used SSL certs in fist place. Now this was way before the debut of FF3. Also these days, phishing sites don't use SSL but plain text and in itself this is hardly news and neither due to the SSL UI and error pages of FF3 (and despite of what Peter Gutmann has to say concerning the non-existing CA tax ;-) ).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
