On Thu, 3 Nov 2005, Julien Pierre wrote: > Ka-Ping Yee wrote: > > On Wed, 2 Nov 2005, Julien Pierre wrote: > > > The account (or other relationship) you previously established at the > > website you wanted -- the "one truly intended" as you put it. The > > phisher wants to fool you into believing you are participating in that > > relationship when in reality you are dealing with an impostor. By > > keeping note of the certificate information, your browser can tell you > > reliably whether you are dealing with the same site and not an impostor. > > No. A party is allowed to use more than one certificate, for reasons > such as renewal, or many other. There is nothing in X.509 or SSL that > says one party only has one cert, quite the contrary. The fact that > the certificate has changed since your last communication does not > tell you that you aren't dealing still with the same site .
But that is not under control of the phisher. Only the legitimate party can produce the correct certificate, and that is what matters. When you are phished, someone is trying to make you believe that you are at the SAME site when in reality you are at a DIFFERENT site. The situation you're describing is not phishing; it's backwards (you think you are at a different site when you are at the same site), and it can only occur with consent of the legitimate site. -- ?!ng _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
