Buy Domain Registration & Register Domain Name Service
 
CUSTOMER SUPPORT
HOME  :: REGISTER DOMAIN  ::  RENEW DOMAIN  ::  TRANSFER DOMAIN  ::  CUSTOMER LOGIN  ::  FAQs
 

Domain Registration Related News

SSL's Credibility as Phishing Defense Is Tested

March 2004

Internet "phishing" scams are incorporating the use of SSL certificates - both real and faked - in their efforts to trick users into divulging sensitive login information for financial accounts.

This trend bears watching, as the presence of an SSL certificate was initially touted by consumer protection groups as a way to differentiate between scams and legitimate sites. The U.S. Federal Trade Commission, for example, offered this advice to consumers concerned about phishing: "Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission."

But security professionals are focused on the limitations of SSL in the wake of a recent scam targeting Earthlink users which employed an SSL certificate so the bogus page displayed the lock icon. In this case, the certificate appeared legit because it matched the URL of the fake page mimicking the Earthlink web site, but had no connection to Earthlink. Visitors would only detect the deception if they reviewed the certificate.

The SANS Institute's Internet Storm Center noted the scam, and advised its users that "it is not possible to identify fake or real websites by the lock icon alone. ... While you can assure that the session is encrypted, it is not possible to ensure that this is the real organization."

Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because 'plain text' doesn't use certificates). Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection."

 

 

 

 

 

 

 

 
Buy Domain Name | Domains Registration | Domain Names Registration | Register Domain Name | Cheap Domain Name
Domain Name Search | Transfer Domain | Domain Name Registrar | Domain Name Registry | Domain Purchase | Get Domain Name
Web Domains | Web Site Name
 
© Copyright   . Active-Domain LLC - Purchase Domain Name. All Rights Reserved.