Ka-Ping Yee wrote: > How is the user to distinguish when the displayed name is correct? > > This is a crucial question. Right now we have the problem that the > certificate-verified information (the domain name) is chosen by the > attacker, and can be chosen to confuse users. A name like > "bankofthevvest.com" is confusingly similar to "bankofthewest.com", > and a name like "amazon.tv" collides with "amazon.com" unless you > are aware of that they belong to different namespaces. This is a > common and effective attack tactic. > Yes, this is a valid question and I guess, there is a multiple answer:
First of all, CA's should prevent the issuing of certificates in obvious cases. Obviously identity/business validated certificates are most likely less problematic, since the CA holds various data about the subscriber, in addition to the displayed details within the certificate, which could be used against him. But also FF2 provides an excellent anti-pishing tool which helps to prevent such an attack. However one must note, that most pishing sites don't even bother to acquire digital certificates, but run their sites plain http. More than that, most pishing sites don't have any similarity to the domain name they are pishing. > So how can EV certificates and EV certificate UIs avoid confusing > users with displayed names that are similar, or the same but > registered in different jurisdictions? > That's perhaps a question for the EV/Browser Forum... but since the subscriber is supposed to get validated extensively, he would not dare to try something like this. Also, EV certificates would and should not be the common form of digital certification, therefore users might recognize and pay attention to the different color. It might help a user, if Paypal or eBay suddenly would loose it's green color (after the user got used to see it for a while when visiting their sites). Other type of confusion could happen however, if the entities are legitimate businesses and validated as such... -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security