mathew <meta(_at_)pobox(_dot_)com> wrote:
On Apr 22, 2004, at 23:07, Seth Breidbart wrote:
mathew <meta(_at_)pobox(_dot_)com> wrote:
On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
How come SSL certificates in HTTPS transactions can work? Aren't
they
reasonably analogous?
No; anybody can generate one. Somebody who wanted billions of valid
ones could just spend a little CPU time.
No, it doesn't work like that. If it did, SSL would be useless.
No, SSL encrypts.
SSL with certificates can also authenticate, and that's the kind of
functionality that's needed for e-postage.
It _can_, but it doesn't for https necessarily.
Sure, I can generate a self-signed SSL certificate, but that's not
going to get me anywhere.
It does for a number of stores I shop at.
After all, what value does having a certificate signed by Verisign
actually provide?
It provides assurance that the system you are connecting to is one
approved by Verisign.
And what value is "approval by Verisign"? Aren't they the company
that once generated a bogus Microsoft certificate?
How much effort do they put into validating anyone who tries to buy a
certificate?
So, what value does e-postage signed by Verisign have? Well, it might
hypothetically have the value that Verisign will redeem it for cash.
How do you prevent re-use? Every recipient would have to query
Verisign immediately before accepting the email. Do you really think
they could handle it?
Now, I notice you deleted my challenge, so let me re-state it. If you
think SSL certificates are worthless and easily bypassed, let's see you
generate one which my browser will accept without throwing up a warning
that it's bogus.
Why should I bother?
Ask yourself why phishing sites don't use SSL.
Why should they bother? Would it increase their success ratio?
It would if they could get the certificate to be accepted without any
warning, the connection to show as secure, and the certificate to state
that they really are the institution they're pretending to be. If they
could do that, they might fool people like me. But they can't, which is
the entire point.
Sure they could. That's why they register domains that sort of look
like the company they're phishing. Look at, for instance,
ebaysecurity.com; do you really think ebay registered a domain using
"freeservers.com"?
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg