[svlug] FYI for all those who don't read slashdot

Marc MERLIN marc_news at merlins.org
Tue Nov 18 17:26:18 PST 2014


On Tue, Nov 18, 2014 at 05:23:13PM -0800, Michael Eager wrote:
> Another exploit is for someone to get a certificate for
> MacysCalif.com and publish a website resembling the real Macy's
> website.  Everything looks OK to the user, the little padlock is locked,
> and all traffic is encrypted.  Except it isn't going to the real Macy's,
> but to the fraudulent one.  Who likely will pass it along to the
> real Macy's, harvesting the userid/password.  Or simply redirecting
> and getting out of the middle, after harvesting user credentials.

That's exactly what I said :)
We already know that verifying the cert for a commerce site is obviously
good.
You checking my cert if you send me SMTP/TLS Email is not as important.
Sending me encrypted Email even if it could be to another server
pretending to be me, is much better than sending me cleartext Email.

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901




More information about the svlug mailing list