Thread: "New Universal Man-in-the-Middle Phishing Kit" ?
View Single Post
  #4 (permalink)  
Old 01-19-2007, 01:51 AM
Barry Margolin
Guest
  
Posts: n/a
Default Re: "New Universal Man-in-the-Middle Phishing Kit" ?
In article <5188ruF1j33roU1@mid.dfncis.de>,
Sebastian Gottschalk <seppi@seppig.de> wrote:

> Barry Margolin wrote:
>
> >> and why wouldn't my browser complain about an invalid certificate for my
> >> banks site?
> >
> > You're not going to your bank's site, your going to the phisher's site
> > because you clicked on the fraudulent URL he sent you. The phisher has
> > a valid certificate for his own site, of course, so there's nothing for
> > your browser to complain about (it has no way of knowing where you
> > *think* you're going).
>
> As long as CAs like VeriSlime are in business, it might happen that the
> phisher might even aqquire a valid certificate for the original banking
> site and involves DNS cache poisoning to impersonate it.

True, but that's not the "man in the middle" type of attack that the
original article was asking about.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Reply With Quote