Hi Ben, Ben Bucksch wrote:
...So it's not the CA not offering thorough validations, but the subscriber not willing to pay for it!True. Good comment.
Thank you ;-)
Yes, I believe that too! But currently they are still better in preventing mistakes made by users ,which pishing is all about...It's not, that the site in question doesn't have a valid certificate, it's the user following to the wrong site...The same user will not care too much about the color of the address bar either...Therefore the current band-aids are not the best one could hope for, but pretty effective right now...More than that, current anti-pishing functions now found in most browsers and mail clients are much better in preventing pishing attacks! I think, that on this forum most agree with the fact, that EV is not going to be effective nor the front line of defense against pishing....I disagree. I think that anti-phishing blacklists are a band-aid.
I think the most effective anti-phishing measures are: * Bookmarks
Education, education, education ;-)
Already suggested this and more....General in agreement with you, so I'm not sure if the domain name itself is the most important thing, because the domain is in the address bar already and if that's not the correct domain, than the browser already barks...* Clearly showing domain (and *only* domain) and maybe real world owner (from cert)
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security