Slashdot Mirror
Phishing Scams Incorporate SSL Certificates
dettifoss writes "Netcraft reports:
`Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.'
Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message
asking if a certificate should be accepted.'"
Unfortunately, the open-source SSL systems contribute to this problem...
Most of them let you do a functionally okay SSL certificate without having to pay a root certificate authority. However, that means you're going to get the "sorta okay" certificate message poping up, with the user being told that the certificate is valid but there's no certifying authority behind it. As a result, the user is trained to click "Yes" to that box, and is conditioned to ignore such errors...
Why, oh why isn't there legislation to make this sort of thing illegal? Phishing is basically fraud, and if there was a chance that some action could be done, then these phishers would not be tempted to pull such a stunt, since they would know that there would possibly a lawsuit/jailtime behind this...