moike,

Pharming does not redirect a browser to another URL. Your browser will have the correct URL displayed in the address bar. But, the IP address that the DNS lookup provided is not that of the URL you see. It is the IP address chosen by the attacker so your computer connects to the attacker's server but the URL name is correct.

So the bookmark advice, while still good to follow for other reasons, will not protect against a pharming attack.

In order for the attacker to also spoof an SSL connection, then they would have to obtain a copy of the SSL certificate, which is unfortunately an impossible task but not easy. Then your browser will not complain in the least about a bad SSL certificate. Unfortunately, many users are conditioned to accept bad certificates due to poor admin practices. I am still hounding a colleage to splurge for a cert. from an established CA rather than a self-signed cert.

Now I see your train of thought. Yes, that would make sense as a possible scenario.

I also was thinking a little differently on the certificate issue as well. I was thinking along the lines of a well constructed, targeted blended threat to obtain a copy of the pharmed site's actual certificate. I realize the effort this would take and the chances are it would be detected. Also the issuing CA could then add the pilfered certificate to their CRL. But could the attacker also spoof the CA's CRL?

With the way things are evolving these days, small windows of opportunity for attackers do not seem to be providing protection to potential victims anymore.

Another approach pharming can lead to is a man-in-the-middle attack. This is not as difficult to pull off with SSL as it was thought to be.

BTW: I had intended to reply to another thread, but I inadvertently started a new topic.