Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Scams Incorporate SSL Certificates

Posted by ryuzaki0 on from the flashing-a-badge dept.

dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

2 of 316 comments (clear)

  1. SSL certificates in 2004 by ddent · · Score: 5, Informative

    (Disclaimer: I am probably biased, since we issue
    SSL certificates
    on our website.)



    This article is a good example of yet another reason why the old advice of
    "make sure the site you are dealing with has an ssl certificate, and you
    should be fine" is no longer entirely true.



    To be more confident you are dealing with a reputable/accountable merchant/site, you
    should not only make sure that they have an SSL certificate, but you
    should also actually click on the lock (or however it is done in the browser
    you use) and look at the certificate.



    The reason the advice used to be valid, is that traditionally, to get an SSL
    certificate, you had to provide documents to prove you are who you say you
    are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement,
    passport, driver's license, whatever. That is still true for most of the
    certificate authorities, but it isn't always true. Some of the new certificate
    authorities don't actually ask to see documents before issuing the
    certificate, instead, they merely make sure that you have control of the
    domain by sending an email to the listed contacts. In some cases, they also
    place a phone call to a number you provide them (I fail to see how this does
    anything, but..). Certificate authorities that do this will issue the
    certificate to "Domain control validated, organization not validated" as the
    organization (or similar text to that effect) rather than to the actual name
    of the company the certificate is for. These certificates are
    perfectly fine for making sure things
    are encrypted, however, they make the certificate useless for getting an idea
    about the legitimacy of who you are dealing with. They also don't tend to
    carry the warranties that other ones do (and for good reason, who would
    underwrite that procedure?).


    --
    SSL Certificate
  2. Re:Do people even see the lock? by Anaxagor · · Score: 5, Informative

    What are some good resources for a web developer to read so that they know how to design secure sites that use RDBMS as a backend?

    OWASP is a good start.