Florian Weimer wrote:
Host names like c1d3q2 are fine, but you shouldn't be allowed to use a
well-known or registered trademark. If I read the Verisign CPS
correctly, I would be able to obtain a EV certificate for
citibank.enyo.de if I incorporated.
Right, that's the current phishing approach. It's not trivial to stop,
though. There are phoney generic trademarks, too, so you'd basically
shrink the namespace for (readable) hostnames to almost null.
Given that it's not too hard to
set up a phony company, this undermines the purpose of EV
certificates, doesn't it? After all, it's not about validation, it's
about identification.
Well, the cert would say "Enyo GmbH". Assuming the user looks at that
(we should not discuss UI here, but let's say it's shown in or near the
URLbar). But you're right, a typical phishing victim could just as
easily confused, given that they happily enter their bank login at
http://64.246.35.72/phase3/citibank.html
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
