you will more easily be able to carry out
‘negative authentication’ when you need to.
The site http://whichssl.com/, though not as independent as its
name might imply (it is run by a certification authority),
offers a handy ‘test your own site now’ link. This takes you to
an https site of your choice whilst explaining, in an adjacent
browser window, how to use your browser to check the SSL
certificate supplied by that site.
Most browsers make an effort to warn you when dubious
certificates have been presented, but (as [9] suggests) many
users click through these warnings without giving them the
attention they deserve. It doesn’t help that legitimate sites
frequently allow certificates to expire, or publish certificates
on one website issued in the name of another, or use
certificates which provoke browser warnings which can safely
be ignored. This just reinforces risky behaviour.
Q. You mentioned ‘negative authentication’. Can’t we run
community-based databases, like real-time block lists (RBLs)
for spam, which help us to identify on-line fraudsters?
A. Several such schemes exist. Netcraft, for example [12]
offers a browser toolbar add-on through which you can report
and identify phishers on-line. Netcraft allows ISPs,
organizations and the like to utilize its database of known
dubious locations on the Internet.
This can be useful in mitigating inbound communications
which reference these sites, such as email which tries to
persuade you to visit a spoofed website, or to download a
piece of malware which the phisher can turn against you later.
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24