Skip to main content

phishers-exploit-weaknesses-in-certificate-process

(0 comments)

The Washington Post Security Fix points out how phishers are exploiting weakness in the certificate granting process to fool users.

It is interesting because: 1.) The attacker gets a real GeoTrust cert with a similar name to the financial institution and 2.) the offer to sign up for Verified by Visa includes the first 5 digits of the credit card, which are the same for all the cards from the FI.

What it makes me think is: what is the value of a cert from GeoTrust vs. a home-rolled cert combined with mutual authentication and two-factor authentication from WiKID?

The trust in a signed certificate is based on the assumption that the signer has verified the site owner, which is clearly dubious. The trust in WiKID mutual authentication comes from the triangle between the WiKID server, the token client and the website. The token client validates that the site the user intends to visit has the same SSL certificate as the WiKID server has stored for that site. It doesn't matter if the cert is signed by a trusted CA - the only thing that matters is that the cryptography works.

Moreover, because the WiKID client launches the default browser to the site of the validated certificate, it's much easier for the user.


Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom