Dean, this is very helpful. Thank you! Parry -----Original Message----- From: Dean Anderson [mailto:dean@xxxxxxx] Sent: Monday, December 22, 2003 3:20 PM To: Parry Aftab Cc: ietf@xxxxxxxx Subject: RE: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?] On Sun, 21 Dec 2003, Parry Aftab wrote: > If not to protect them, how can you verify that s site is not being > spoofed, technically? When you connect to a secure website, you can examine the SSL Certificate for the site, usually by clicking on the "lock" symbol on many browsers. People should learn how to do this, and make it a habit of doing so when they connect to secure sites, so they recognize when something changes. Unfortunately, like other components of scams, the certificate might have a similar sounding name You think you've got (eg paypal.com), but you got Paypal-business.com. The certificate (we assume for argument) really does belong to an entity called paypal-business.com, but is paypal-business.com the same as paypal? You don't know. The best thing to do is start from (eg) paypal.com from your account statement, etc, and examine the site certificate. Then you have a good chance that it is not spoofed. But it is only a chance, as it could still be spoofed in various ways. There are lots of scenarios for this: But here's one: Your computer could be infected with a virus which installed a web proxy--then the attacker sends you a message to go update your stuff. You type in paypal.com, but your infected browser goes to the fake site instead. When you try to view the certificate, your infected browser shows you the real certificate information. You can't easily know this didn't happen. But examining the certificate is a good practice. So there are things to do that will make the con-artist's job harder, but you can't make it impossible to be conned. But hopefully, the police will be able to track down the con-artists, and by doing so, will deter others. There is no perfect system, so we can't give any assurances that there is a perfect system. Nor is the case that if you do or don't do certain things, you can't be victimized. The best we can do is tell people to use their common sense, so they aren't victimized by the lowest-grade of con-artists. The issue is not a technical issue, but a social and policy issue. You can also be sure, as a point of policy, that if the law enforcement community doesn't reactly swiftly and harshly to cons and frauds, then the lowest-grade cons will be attracted to the internet, where experience and close calls will improve their skills. A large number of high-grade (by that I mean very sophisticated) con-artists would be a disaster. A large number of low-grade con-artists creates momentum for increases in the number of high-grade con-artists. The policy implications are clear. Law enforcement tends to focus on the most serious criminals: Bank robbers who take control of a bank and enter the vault get more attention than the person who passes a note to a teller. This is good policy, but the "note passers' who rob real banks aren't completely ignored. In contrast, in the virtual world, that's just what's been happening: 'note-passers' are ignored altogether until they graduate to the major 'seizing control' level. This is bad policy. Consider the microsoft worm perpetrator who coincided with the East Coast Blackout. When it was suspected that it might be related to the blackout, the police found this guy right quick. It is not hard to track these things down with law enforcement powers. But nearly all virus operators are ignored, even when reported. I operate an ISP in Boston. I've reported several computer breakin's over the years the Feds. They take the report and nothing happens. Now, I don't bother. I have enough to do. By trial and error, the crackers and con-artists get better. --Dean