On the subject of increasing Phishers becoming ever more sophisticated - we’ve seen several Phishing sites using valid SSL Certificates.
This issue has had some press before; and the current solution is to make the process of obtaining an valid certificate more difficult/costly to a Phisher. The name for this is Extended Validation.
There is no technical difference between the an EV certificate and a ‘normal’ x509/SSL certificate; they’re just meant to be more difficult to obtain from a Certificate Authority (CA).
Does this not defeat the object of what SSL certificates were originally intended to be. Were SSL certificates not meant to be difficult to obtain, and require validation in the first place? All this now says to users’ is that ‘normal’ SSL certificates cannot be trusted; and organisations now have to purchase one of these ‘extra-secure’ certificates.
As if educating users’ to trust the ‘lock icon in the status bar’ wasn’t difficult enough, they now have to be trained to tell the difference between two valid certificates.
And just to end on a joke. The site setup by Microsoft to demonstrate the security of EV Certificates has…
…an expired certificate.