how can you verify that the site you get is not a fake?

[Les Mikesell]

On Mon, 2005-06-06 at 09:36, bruce wrote:
> and matt.. now you see the issue that i've been dealing with...
> 
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...

In theory, when using https, your browser should alert you if the
site does not have the certificate issued by a trusted authority
for that domain name - unless you previously chose to accept the
certificate that they do have.

In practice, people can be fooled by making the visible part of a
link (both in the linking page and with some tricks, in the browser
location window) say what you expect but in fact have a URL going to
a different site.  Or they may just click the 'accept' popup and go
on anyway.

> on a similar tip. if you lose your password.. what's a secure way to get the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)
> 
> any ideas/thoughts...

Most places let you change your own password online though an https
connection, so if you have a password sent by email, then quickly
change it yourself, you can limit your exposure.  Also, you can
use the ssl variations of pop or imap to avoid sniffing on your
side of the link and if you don't trust your ISP you should look
for a different one.

-- 
  Les Mikesell
   lesmikesell at gmail.com