how can you verify that the site you get is not a fake?
Matthew Miller
mattdm at mattdm.org
Mon Jun 6 15:01:30 UTC 2005
On Mon, Jun 06, 2005 at 07:36:04AM -0700, bruce wrote:
> and matt.. now you see the issue that i've been dealing with...
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...
I think it'd help a lot if you'd clarify exactly who you're trying to help,
here. All visitors to a general-interest web site? Your customers? All
employees of a business, or other members of your own organization?
> on a similar tip. if you lose your password.. what's a secure way to get the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)
The method you describe is one of the poorer current methods. A slightly
better one sends a hashed URL to the e-mail on record, and if you then go to
that site, you can set a new password. Still somewhat weak, but at least the
actual password isn't going in plain text -- and presumably, if someone else
changes your password by intercepting the mail, you'll at least know about
it.
[ps: it'd make this conversation go easier if you could not top post --
thanks!]
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.
More information about the fedora-list
mailing list