Many years ago, I was put into a situation where I had to start using online banking. Being skeptical about security, I asked for something along the lines of a certificate hash that could be verified in person. They couldn't answer that. So I tried asking how I could verify that the certificate displayed by the web browser was correct. They couldn't answer that. In the end, I ended up trusting the padlock icon and being left with the impression that commercial security was mostly about the illusion of security. To this day I'm left with the impression that some sort of MITM attack would be possible through the creative abuse of certificate issuers and proxies since there is no direct means of verifying the certificate is authentic. And they won't take that final step since it shatters the illusion of security being simple.
> mostly about the illusion of security. To this day I'm left with the impression that some sort of MITM attack would be possible through the creative abuse of certificate issuers and proxies since there is no direct means of verifying the certificate is authentic
Why would a bank's customer support agent know about encryption? Usually IT is a siloed function in most banks.
In a sane world, the bank would have a flier for the teller to give to the GP with several ways to verify the bank's key.
We only live without this because the bank can just reverse transactions when there is a problem and the police will fall pretty heavily on anybody that exploits the weakness. And also, because there are plenty of easier to exploit ones.
I think it was more that a random bank teller could not be expected to explain the intricacies of certificate authorities and online encryption. The bank likely has a security whitepaper on their website which explains all this.
Nowadays, all certificates have to be submitted to Certificate Transparency Logs and must have attached proof to be considered valid. Also, there are CAA records to ensure that only specific CAs are able to issue certificates.
