- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Wed, 16 Jun 2004 07:58:20 +0100 (BST)
- To: w3c-wai-ig@w3.org
> I need to be educated about this one. What is the rather technical thing > a user needs to do to make SSL work properly? They need to open up the certificate and look at the subject and confirm that the subject is the organisation they think they are communicating with. > Are you saying the user went to the wrong site? Wouldn't that be user That's one route, and is what phishing and typo squatting attempt to exploit - typo squatting isn't normally associated with an SSL exploit, but could be. The other routes are by subversion of DNS or IP routing, and by domain name obfuscation (although recent fixes to IE, to reduce functionality, do reduce the last risk somewhat). Either way, protection against your customers going to the wrong site is the only valid security reason for paying money to people like Verisign. If you simply want encryption, you can self sign your own SSL certificates. The other reason of course is that a proportion of users would object to an unverifiable certificate diagnostic, without actually understanding that a verified certificate is near meaningless unless you verify the URL or subject. (It does tell you that the issuer verified the subject's identity at some level, but probably not the level that a bank would request and not against who they might pretend to be.) To the extent that accessing the wrong site is not an issue, the root certificate issuing companies are obtaining money under false pretences. If you take one of my online banks, their URL is www.xxxxxxxxxx.co.uk, (were xxxxxxxxxx is their well known trading name), but their secure site is something like olb2.xxxxxnet.com, where the prefix is certainly not enough to have prevented someone completely different from having registered that domain. Like all UK banks, they have been subject to phishing attempts. (I did try to email them about this in the context of a phishing attack, but got a stock response to people responding to phishing attacks, from a minion - a general big organisation problem.) My other online bank, at least at one time was unsuable without scripting, and had, and may still have, a typo squatter relying on one typing a double letter as a triple. Fortunately that typo-squatter doesn't pretent to be a banking site. In this case, the secure site name is a reasonable match with the obvious domain name. > the job of security departments. Please don't imply that bank sites > are not among the most secure sites unless you have some facts to The sort of attacks here don't attempt to break into the bank site, they attempt to break into the bank account, by compromising the user's authentication data, possibly by compromising their machine as a whole. The consequences of banks insisting on scripting are an increased likelihood of other sites compomising the client. This may indirectly compromise the banking site, as banking details are a high priority target for attackers. Basically the insistence on scripting by a bank encourages their customers to use unsafe practices when accessing less reputable sites. Note that phishing attacks are successful, even though internet based ones would be impossible if people verified the domain name/certificate subject, properly.
Received on Wednesday, 16 June 2004 02:58:24 UTC