top | item 10673206

(no title)

pyvek | 10 years ago

I'd like to know more about this. When you buy domain validated SSL certificate (that costs $5-10) for which the process is completely automated, does the issuing authority really check or care about which domain it is being used on? Does a human (or a program) check the "suspicious factor" of the domain?

discuss

chrisfosterelli|10 years ago

No. It's easy to currently register an SSL certificate for any domain, even if that domain is similar to the name of another. The main reason this was a "deterrent" to phishers is that generating tons of these was expensive.

The phishers still have to front the cost for the domain itself, so this really isn't going to increase the number of phishing domains. It may increase the number of phishing domains with SSL, but the purpose of Lets Encrypt is to encrypt everything -- not just "official domains"

SCHiM|10 years ago

No you are wrong. Perhaps it's not the case everywhere. But like I said, from personal experience I know that certain types of domains are checked. I tried and failed to register a certificate for a phising domain that masqueraded as a banking website.

whether or not this was originaly the point of ssl or not, this is how many non-technical people decide to trust a page or not: by looking at the lock in their browser.