undefined | Better HN

0 pointsocdtrekkie6y ago0 comments

How do you know bankofamerica.com is owned by the actual Bank of America? Or that someone didn't use a Cyrillic character in that URL so it looks legitimate and even has a CA-signed cert? Or that one of the more questionable CAs hasn't given someone else a cert for bankofamerica.com.

I am not saying issuing self-signed certs are great, merely that CAs do not meaningfully improve on them if domain validation is all we have, because domain validation doesn't tell you a heck of a lot.

As you said in another response, the CA system has problems. EV, at least, represents something useful when issued by a CA and solves a real problem. And the problems with EV Troy complains about are all fixable.

0 comments

3 comments · 1 top-level

tptacek6y ago· 2 in thread

You keep answering this question with an unrelated question. Like I said: phishing works and is too easy to accomplish. That isn't an answer to the question I just asked you.

ocdtrekkieOP6y ago

You are dismissing the primary issue at hand, which underpins the entire conversation. Phishing is what EV addresses. And if you're not addressing phishing, you're not meaningfully addressing any sort of Internet security whatsoever.

tptacek6y ago

The incoherence of EV as a response to phishing is part of why it's failed. But I'm not talking about EV; I could care less about EV. I'm addressing your (false, increasingly so as thread deepens) claim that HTTPS doesn't require any form of PKI and that users might as well rely on self-signed certificates. Obviously: no.

j / k navigate · click thread line to collapse