Tuesday, February 14, 2006

Fake security

The Washington Post reports on a phishing website that managed to obtain a "legitimate" security certificate. The certificate is what sits behind the little lock or key icon in the bottom bar of your web browser and supposedly tells you who the site really belongs to*, however it's only as trustworthy as the certification authority that issued it. In this case it seems the subsidiary of one of our credit rating agencies issued it to the crooks via a fully automated process! They didn't actually confirm that the applicant was really who they said they were, but simply looked for certain keywords in the online application.

I've blogged before about how our credit rating agencies provide credit ratings that don't actually reflect your actual creditworthiness. Now it seems they issue security certificates that don't actually provide any security.

Why exactly do these guys deserve to stay in business?

* It also tells you that the communication between your computer and the server is encrypted to protect the data from being intercepted in transit.

No comments: