2 issues I see:
i) The browser will accept a cert, bearing the site name, from any of the CAs the browser recognises (not those the user has chosen to trust)
ii) the domain name and the machine IP address are not securely linked by the cert, but by the independently managed DNS system, which means your local DNS administrator controls where your browser looks for the site.

So, while it's valid to say the CC data is sent securely to a server, the important question is: "Which SSL server?"

And this is exponentially important for high value information, payments and privacy material.

Lyal


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/60/10613#10613