[security] [dix] Re: Gathering requirements for in-browser OpenID support
Dan Lyke
danlyke at flutterby.com
Tue Oct 31 23:26:18 UTC 2006
On Tue, 31 Oct 2006 03:00:08 -0800, Eddy Nigg (StartCom Ltd.) wrote:
> Guess, he will have a hard time getting a cert for this...Usually
> wild card certificates require additional verifications as well...
I've seen at least one phishing spam (and my filters are pretty good,
I don't end up reading too many of 'em) that had an address like
https://paypalsecuritycentral.com or some other similarly convoluted
and unofficial but possibly believable name.
And given that I've seen banks do something similar legitimately, and
it's all about percentages, I'd imagine you can get some portion of
users to fall for that.
Security isn't about "making something secure", it's about levels of
difficulty and trade-offs in that. Those of us who are skeptical about
what HTTPS can do I think are largely looking at this from a "locking
the screen door" perspective, on the other hand so many attacks are so
unsophisticated that maybe locking the screen door is a good idea.
Dan
More information about the security
mailing list