bad keysigning by Geotrust
Atom Smasher
atom at smasher.org
Wed Feb 15 09:06:12 CET 2006
this is what happens when someone signs a key that shouldn't be signed.
it's based on an x.509 (hierarchical) trust model, not a pgp (distributed)
trust model, but the consequences are the same: a certification signature
that should not have been issued was issued. this is basically "mallory"
collecting a good signature on a fraudulent key.
Now here's where it gets really interesting. The phishing site...
is protected by a Secure Sockets Layer (SSL) encryption
certificate issued by a division of the credit reporting bureau
Equifax that is now part of a company called Geotrust.
The New Face of Phishing
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
--
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
A student asked his old Sufi Master if he should tie up
his camel for the night, so that it wouldn't wander
away while they were sleeping or if doing so was an
insult to God. Should he leave the camel untied to
show his trust in God that the camel wouldn't run away?
The Master replied "Trust God AND tie up your camel."
More information about the Gnupg-users
mailing list