23 Jul
2008
23 Jul
'08
9:27 p.m.
On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
Luckily we have the SSL/CA architecture in place to protect any web page served over SSL. It's a good job users are not conditioned to click "OK" when told "the certificate for this site is invalid".
'course, as well as relying on users not ignoring certificate warnings, SSL as protection against this attack relies on the user explicitly choosing SSL (by manually prefixing the URL with https://), or noticing that the site didn't redirect to SSL. Your average Joe who types www.paypal.com into their browser may very well not notice that they didn't get redirected to https://www.paypal.com/ -Jasper