On Fri, 2017-05-26 at 10:46 +0530, Sankalp Bagaria wrote: > Hello, > > http://securityaffairs.co/wordpress/59238/cyber-crime/https-phishing-sites.html > claims > that phishing websites using HTTPS are increasing in number. If malicious > sites can > get certificates, it defeats the purpose of TLS. In my opinion, tougher > measures are > required to prevent malicious sites getting legitimate certificates. What can > we do > about it ?
I wouldn't say that it defeats the purpose of TLS. If https://hackerssite.co.ua/ has a TLS certificate validating that it really is hackerssite.co.ua, and I go there for my online banking... well that's kind of my fault. That domain *isn't* my bank's clearly owned domain name, and I should be looking for an EV certificate with my bank's name in it. So that would be *my* fault.... unless I suppose my bank have ACTIVELY TRAINED me to succumb to fraud, by doing something insanely incompetently negligent.... like Nat West running their online banking on 'nwolb.com', with a certificate that says 'Royal Bank of Scotland'. Neither of which match the brand "Nat West" by which I know my bank. Those morons should probably be prosecuted for aiding and abetting the fraud that they are enabling. Because *their* behaviour defeats the purpose of TLS. cf. http://david.woodhou.se/re-registration.html
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
