Extended validation certificates
Posted Nov 3, 2006 19:20 UTC (Fri) by bronson
In reply to: Extended validation certificates
Parent article: Extended validation certificates
All the bank has to do is give me an https URL, and I type it in, and I can have quite high confidence I'm talking to my bank.
No you can't. DNS cache poisoning is still depressingly easy. And most packets hit 20-30 boxes as they transit the internet. All it takes is for one of those boxes to be subverted. All of these attacks rely on your typing the URL perfectly. Phishing is for chumps.
The only way you can be confident you're talking to your bank is to have an out-of-band fingerprint at each end. Each party must authenticate the other. SSL's one way "authentication" will always be prone to MITM attacks, always.
I've been meaning to write my SSL MITM proof of concept tool for three years now. That would demonstrate the problem to people who don't have crypto experience. Alas, the round tuits just aren't piling up.
to post comments)