[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)
iang at iang.org
Tue Jan 8 08:20:30 EST 2013
On 8/01/13 15:16 PM, Adam Back wrote:
> IMO it is very bad practice that a number of banks use a domain that does
> not match the main domain and brand for the login. I have seen multiple
> examples of what James mentioned. For example www.natwest.com it does not
> redirect to HTTPS, further when you click on login, it goes to
> https://www.nwolb.com, and further chrome's green certifcate info field
> shown to the left of the URL says "The Royal Bank of Scotland Group Plc
I love this - everyone has a story about how their bank is just totally
My bank is called CBA. It sold me a "safe" worldwide credit card
replacement thing which required a registration. I went onto the CBA
webpage to find the page to do the registration, and found a link on a
random unprotected non-SSL page, to somewhere else.
That took me to some random thing like internationalmoney.com. I phoned
up the bank to complain and check ... they guy looked at the page and
said, "sure, that's it!" Reading from the same webpage. I said "you
are training your users to be phished" and he didn't even get flustered.
Whatever this domain was, I did the traceroute and whois and found that
the whole thing was a totally independent outsourced organisation
outside CBA's country. As it turns out, it was outsourced to HP's cloud
operation in California.
On the same day, I read an article in the major newspaper from the IT
director of the bank saying they would never ever outsource customers'
data outside the bank.
So. Totally hopeless. A recipe for disaster.
Obviously we cannot fix this. But what we can do is decide who is
responsible, and decide how to make them carry that responsibility.
Hence the question. Who is responsible for phishing?
Vendor? CA? User? Bank? SSL techies?
More information about the cryptography