[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

ianG iang at iang.org
Tue Jan 8 08:20:30 EST 2013

On 8/01/13 15:16 PM, Adam Back wrote:
> IMO it is very bad practice that a number of banks use a domain that does
> not match the main domain and brand for the login.  I have seen multiple
> examples of what James mentioned.  For example www.natwest.com it does not
> redirect to HTTPS, further when you click on login, it goes to
> https://www.nwolb.com, and further chrome's green certifcate info field
> shown to the left of the URL says "The Royal Bank of Scotland Group Plc
> [GB]".

I love this - everyone has a story about how their bank is just totally 

My bank is called CBA.  It sold me a "safe" worldwide credit card 
replacement thing which required a registration.  I went onto the CBA 
webpage to find the page to do the registration, and found a link on a 
random unprotected non-SSL page, to somewhere else.

That took me to some random thing like internationalmoney.com.  I phoned 
up the bank to complain and check ... they guy looked at the page and 
said, "sure, that's it!"  Reading from the same webpage.  I said "you 
are training your users to be phished" and he didn't even get flustered.

Whatever this domain was, I did the traceroute and whois and found that 
the whole thing was a totally independent outsourced organisation 
outside CBA's country.  As it turns out, it was outsourced to HP's cloud 
operation in California.

On the same day, I read an article in the major newspaper from the IT 
director of the bank saying they would never ever outsource customers' 
data outside the bank.

So.  Totally hopeless.  A recipe for disaster.

Obviously we cannot fix this.  But what we can do is decide who is 
responsible, and decide how to make them carry that responsibility.

Hence the question.  Who is responsible for phishing?

Vendor?  CA?  User?  Bank?  SSL techies?


More information about the cryptography mailing list