Dean, this is very helpful. Thank you!
From: Dean Anderson [mailto:dean(_at_)av8(_dot_)com]
Sent: Monday, December 22, 2003 3:20 PM
To: Parry Aftab
Subject: RE: [Fwd: [isdf] need help from the ietf list...can someone
post this for me? or allow me to post directly?]
On Sun, 21 Dec 2003, Parry Aftab wrote:
If not to protect them, how can you verify that s site is not being
When you connect to a secure website, you can examine the SSL
for the site, usually by clicking on the "lock" symbol on many browsers.
People should learn how to do this, and make it a habit of doing so when
they connect to secure sites, so they recognize when something changes.
Unfortunately, like other components of scams, the certificate might
a similar sounding name You think you've got (eg paypal.com), but you
Paypal-business.com. The certificate (we assume for argument) really
belong to an entity called paypal-business.com, but is
the same as paypal? You don't know.
The best thing to do is start from (eg) paypal.com from your account
statement, etc, and examine the site certificate. Then you have a good
chance that it is not spoofed. But it is only a chance, as it could
be spoofed in various ways. There are lots of scenarios for this: But
here's one: Your computer could be infected with a virus which
a web proxy--then the attacker sends you a message to go update your
stuff. You type in paypal.com, but your infected browser goes to the
site instead. When you try to view the certificate, your infected
shows you the real certificate information. You can't easily know this
didn't happen. But examining the certificate is a good practice.
So there are things to do that will make the con-artist's job harder,
you can't make it impossible to be conned. But hopefully, the police
be able to track down the con-artists, and by doing so, will deter
There is no perfect system, so we can't give any assurances that there
a perfect system. Nor is the case that if you do or don't do certain
things, you can't be victimized. The best we can do is tell people to
their common sense, so they aren't victimized by the lowest-grade of
The issue is not a technical issue, but a social and policy issue. You
also be sure, as a point of policy, that if the law enforcement
doesn't reactly swiftly and harshly to cons and frauds, then the
lowest-grade cons will be attracted to the internet, where experience
close calls will improve their skills. A large number of high-grade (by
that I mean very sophisticated) con-artists would be a disaster. A
number of low-grade con-artists creates momentum for increases in the
number of high-grade con-artists. The policy implications are clear.
Law enforcement tends to focus on the most serious criminals: Bank
who take control of a bank and enter the vault get more attention than
person who passes a note to a teller. This is good policy, but the
passers' who rob real banks aren't completely ignored. In contrast, in
the virtual world, that's just what's been happening: 'note-passers'
ignored altogether until they graduate to the major 'seizing control'
level. This is bad policy.
Consider the microsoft worm perpetrator who coincided with the East
Blackout. When it was suspected that it might be related to the
the police found this guy right quick. It is not hard to track these
things down with law enforcement powers. But nearly all virus operators
are ignored, even when reported.
I operate an ISP in Boston. I've reported several computer breakin's
the years the Feds. They take the report and nothing happens. Now, I
bother. I have enough to do. By trial and error, the crackers and
con-artists get better.