how can you verify that the site you get is not a fake?
Joel Jaeggli
joelja at darkwing.uoregon.edu
Mon Jun 6 04:34:13 UTC 2005
On Sun, 5 Jun 2005, bruce wrote:
> ssl certs don't allow you, the user to know if you're at the right site!!
> unless it's not possible to fake the information returned by the server to
> the client. i suspect that the information stream is easily faked...
ssl cert's are an assertion that the ca (cetrifcate authority) is
asserting that the site you connecting to is who they say they are. if you
trust the ca (who's public key is in your keyring) then you trust the
sites that they vouch for. forging the ca's signature is infeasable.
subverting the ca's procedures for signing a cert are in some cases not.
> my question.. how do you know that paypal.com.. ia actually paypal.com
> (paypal), and not a carefuly crafted fake!
because you trust verisign. (maybe you trust them)
> -bruce
>
>
>
> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Matthew Miller
> Sent: Sunday, June 05, 2005 3:15 PM
> To: For users of Fedora Core releases
> Subject: Re: how can you verify that the site you get is not a fake?
>
>
> On Sun, Jun 05, 2005 at 01:37:19PM -0700, bruce wrote:
>> if i go to a site, how can i verify that the site that's displayed is
> really
>> the 'correct' site. is there a way to actually 'get' the ip address, and
>> then to determine if that ip address actually matches up to the 'owner' of
>> the site i'm looking at....
>> any thoughts/ideas/etc...
>
> There's really not an absolutely good way to do this. The best we've got is
> SSL server certificates.
>
> --
> Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
> Boston University Linux ------> <http://linux.bu.edu/>
> Current office temperature: 80 degrees Fahrenheit.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
--
--------------------------------------------------------------------------
Joel Jaeggli Unix Consulting joelja at darkwing.uoregon.edu
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
More information about the fedora-list
mailing list