[aquark]

True -- the green lock itself wouldn't help here. I was thinking more along the lines of code signing certificates.

When I visited by bank's web site and drill into the certificate details I can at least establish that someone my browser vendors trusts (or someone they trust ...) issued the certificate to an _organization_ called 'Bank of Nova Scotia' in Toronto, not just the domain name.

If I was able to register micr0soft.com then hopefully I would have a hard time getting an SSL certificate issued for it. I know there have been a number of discussions on certificate infrastructure here that show how complex this can become.

[chrisjsmith]

SLL certificates bring nothing other than a false peace if mind. I've seen fake antivirus software that goes to great lengths to provide verified (!) SSL encrypted pages to steal your credit card details.

[tptacek]

Well, that, and actually allowing SSL sessions to be encrypted without being trivially susceptible to MITM attacks.

[premchai21]

Which fake software is this? If it's already taken control of the client side, too, couldn't it just be altering the root certificate set rather than exploiting some weakness of the union of all of the existing roots (which no doubt have many such weaknesses regardless)?

[chrisjsmith]

"Vista Security 2012". It can't touch the root certs as you need elevated privileges to do that. The entire thing hijacks the user's shell via the registry. You can log in as another user on the machine and it appears not to be infected.

Quite well designed really :-)