Phishing Scams Incorporate SSL Certificates
dettifoss writes "Netcraft reports:
`Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.'
Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message
asking if a certificate should be accepted.'"
I stopped phishing when AOL 3.0 came out...
SUCK IT DOWN!
<a href="http://goatse.cx">3.141592653589793238462643 38327950288419716939937510582097494459230781640628 62
0899862803482534211706798214808651328230664709 38446095505822317253594081284811
1745028410270193 85211055596446229489549303819644288109756659334461 284756482337
867831652712019091456485669234603486 104543266482133936072602491412737245870066
063155 88174881520920962829254091715364367892590360011330 5305488204665213841469
51941511609433057270365759 59195309218611738193261179310511854807446237996274 95
6735188575272489122793818301194912983367336244 06566430860213949463952247371907
0217986094370277 05392171762931767523846748184676694051320005681271 452635608277
857713427577896091736371787214684409 012249534301465495853710507922796892589235
420199 56112129021960864034418159813629774771309960518707 2113499999983729780499
51059731732816096318595024 45945534690830264252230825334468503526193118817101 00
0313783875288658753320838142061717766914730359 82534904287554687311595628638823
5378759375195778 18577805321712268066130019278766111959092164201989 380952572010
654858632788659361533818279682303019 520353018529689957736225994138912497217752
834791 31515574857242454150695950829533116861727855889075 0983817546374649393192
55060400927701671139009848 82401285836160356370766010471018194295559619894676 78
3744944825537977472684710404753464620804668425 90694912933136770289891521047521
6205696602405803 81501935112533824300355876402474964732639141992726 042699227967
823547816360093417216412199245863150 302861829745557067498385054945885869269956
909272 10797509302955321165344987202755960236480665499119 8818347977535663698074
26542527862551818417574672 89097777279380008164706001614524919217321721477235 01
4144197356854816136115735255213347574184946843 85233239073941433345477624168625
1898356948556209 92192221842725502542568876717904946016534668049886 272327917860
857843838279679766814541009538837863 609506800642251252051173929848960841284886
269456 04241965285022210661186306744278622039194945047123 7137869609563643719172
87467764657573962413890865 83264599581339047802759009946576407895126946839835 25
9570982582262052248940772671947826848260147699 09026401363944374553050682034962
5245174939965143 14298091906592509372216964615157098583874105978859 597729754989
301617539284681382686838689427741559 918559252459539594310499725246808459872736
446958 48653836736222626099124608051243884390451244136549 7627807977156914359977
00129616089441694868555848 40635342207222582848864815845602850601684273945226 74
6767889525213852254995466672782398645659611635 48862305774564980355936345681743
2411251507606947 94510965960940252288797108931456691368672287489405 601015033086
179286809208747609178249385890097149 096759852613655497818931297848216829989487
226588 04857564014270477555132379641451523746234364542858 4447952658678210511413
54735739523113427166102135 96953623144295248493718
just feasted on my junk liberally..
Unfortunately, the open-source SSL systems contribute to this problem...
Most of them let you do a functionally okay SSL certificate without having to pay a root certificate authority. However, that means you're going to get the "sorta okay" certificate message poping up, with the user being told that the certificate is valid but there's no certifying authority behind it. As a result, the user is trained to click "Yes" to that box, and is conditioned to ignore such errors...
Why, oh why isn't there legislation to make this sort of thing illegal? Phishing is basically fraud, and if there was a chance that some action could be done, then these phishers would not be tempted to pull such a stunt, since they would know that there would possibly a lawsuit/jailtime behind this...
http://slashdot.org is not OpenPGP compliant. Please remove the spaces slash inserts to verify signature.
Where is the condemnation of your friend Bob Thompson?
Seriously... ok, not. Seriously though, at least I can pay for my RV for Bonnaroo now! :)