> Well you could always use the ploy that is being used with > spoofed bank sites. > User thinks they are going yo www.barclaysbank.co.uk But your > really sending them to www.barclayswank.co.uk which has a > valid SSL, so nothing looks amis.
Yes, that'll certainly work. And I enjoyed your example domain names. But I haven't seen any phishing examples that use SSL. Perhaps this is because of the expense. It might also have to do with the verification process that goes along with buying a cert from a public CA. Honestly, I buy few enough certs that I don't know if this is still true, but when I initially ordered my certs from Thawte, I had to verify ownership of the domain and that Fig Leaf was an actual company, etc. That might be a minor impediment to a scammer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4