Blackhat 1 the SSL phishing

After the serious DNS bug but that didn't bring down the system (even is many of the DNS servers aren't patched yet) Daminsky presented at Black hat a new phishing or social engineering tric that could be closed very easily if some institution like ICANN could have the guts to do it.

When you use a website to transfer money or personal information, the website secures this with an encrypted SSL certificate (which most forget to manage professionally). This makes the HttpS connection and certifies that fortis.be is really belonging to fortis and not to some crook in Russia. The websites have to ask such a certitificate for each domain or subdomain. This means that if they want to secure secure.fortis.be and invest.fortis.be they have to ask a certificate for each of them seperately.

Daminsky has shown that when he had a certificate for mydomain.com he could ask one for the subdomain fortis.be/mydomain.com. Well this doesn't surprise me much.

Many anti-phishing organisations and antivirus firms and myself (with DNS.Be) want that an international blacklist is set-up with tradenames and their variations that can't be registrered with any domainextension without the explicit approval of the owner of that tradename. Most urgently this should be the case for banks, online payment systems, credit companies and big retail firms. Later on this system could be extended.

This system would not only protect the surfers against phishing by socalled phishing domains, but also for such SSL-phishing or social network tradename hijacking.

Comments

  • Phishing is a very big problem nowadays but BitDefender has a very nice solution of AV with anti-phishing engine. I recommend because all my friends including me are using it and we are very pleased of it

The comments are closed.