‘Microsoft’ to
an individual unassociated with the software giant [10].
• By a worthless certificate. It is easy to produce a
self-signed SSL certificate. In this case, you act as your
own certifying authority, rather than paying a known
third party to do this job for you.
• By a low-quality certificate. Some certification
authorities (CAs) issue low-cost certificates, or trial
certificates, which make it easy for smaller vendors to
enter the market. In some cases the identity checks
carried out before issuing these certificates are cursory
and almost instantaneous, so the certificates have little
value for authentication.
• By malware active on your PC. Malware can suppress
security errors, create falsified security indicators, paint
over input forms in order to capture or modify your input
before it is encrypted by SSL, or otherwise mislead you
into how your PC or your browser is behaving.
• By becoming accustomed to starting secure connections
from insecure pages. Numerous legitimate on-line
financial sites [11] invite you to login from their main
(http) page, then take you via some scripting to their
secure (https) site. In many cases these insecure pages
include padlock imagery, lending credibility to spoofed
sites which do the same.
Q. So how can you out-trick such trickery?
A. Fortunately, many phishing tricks are obvious once you
know what to look for. In particular, you should familiarize
yourself with SSL certificates and how to check them. If you
know how your bank usually identifies itself to you, for
instance, then
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24