Jason Haar wrote:
The attack you are describing affects every bank in the world running HTTPS - and governments are suspected of carrying out these very attacks. I don't see banks scurrying around trying to solve it - I think it's in the "too hard and I might get killed" basket.
Proposed mechanism is not really an equivalent of HTTPS hostname checks.
First of all HTTPS certificates are not really compared against reverse DNS queries, but rather against the hostname part of URL. This makes a difference, as the attacker should not be able to control URLs within an SSL session.
Also manual inspection of the hostname contained in the URL is expected to be performed by the user. There is a huge difference between connecting *any* website with a valid certificate, and connecting a specific bank.
Best regards, Mike