Certificates and phishing

Friday

Jan122007

Friday, January 12, 2007 at 09:31AM

Dmitry Shechtman comments on Scott Kveton’s post on phishing and openid.

Both are smart guys, so I’m confounded why neither mentions that common X.509 certificates via SSL can solve a fair amount of phishing issues. Or is OpenID only for sites where getting a ‘real’ cert is out of scope?

There are also new types of certificates coming out — extended validation certificates — which contain added information, such as visual logotypes, that work with some browser vendors to further raise the bar the phishers.

Hans |

2 Comments |

2 References |

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Source: External authentication and OTP
Response: Gogle

at Gogle commentedorg on July 11, 2007

commentedorg co

Reader Comments (2)

Thanks for the compliment.

When it comes to certificates, I'm as stupid as any common user. All I know is the address bar should turn yellow without any confirmation messages popping up. How difficult is that for a phisher to accomplish?

January 12, 2007 |

Dmitry Shechtman

You're almost right. Certificates can be used... but not for the website. Let's forget about authenticating the server (!?). Use certificates to authenticate the client instead of using passwords.

In fact, I do something simpler here:

http://digitalconsumption.com/forum/A-simple-solution-to-OpenID-phishing-attacks

I use my IP address instead of a password and use client certificates as a fall back when my laptop is roaming.

Even if you are redirected to a hostile server, they can't phish you as there's no password. What's more, you're alerted to the phishing attempt.

January 22, 2007 |

Charles Darke

Post a New Comment

Enter your information below to add a new comment.

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.