how can you verify that the site you get is not a fake?
bruce
bedouglas at earthlink.net
Mon Jun 6 14:36:04 UTC 2005
and matt.. now you see the issue that i've been dealing with...
my bad for not clarifying it earlier.. the ssl aspect helps, but it still
doesn't get to the issue of allowing someone to 'know' or be extremely
certain, that the site they're on, is the 'right' site for the url that
they're trying to obtain...
on a similar tip. if you lose your password.. what's a secure way to get the
password. the current method (of course) is to send you a new password via
email.. assuming that you know your username. but given the fact that email
is text, and could easily be sniffed, is there another/better way.. (and
let's not get into public/private encryption!!)
any ideas/thoughts...
-bruce
-----Original Message-----
From: fedora-list-bounces at redhat.com
[mailto:fedora-list-bounces at redhat.com]On Behalf Of Matthew Miller
Sent: Monday, June 06, 2005 6:54 AM
To: For users of Fedora Core releases
Subject: Re: how can you verify that the site you get is not a fake?
On Mon, Jun 06, 2005 at 06:48:31AM -0700, bruce wrote:
> matt, i unsderstand what you're saying...
> but i still don't see how this protects/allows a user to 'know' that th
site
> he's on is the correct site...
> as an example. i go to the verisign site (www.verisign.com) i can select
the
> verisign logo, which displays a pop-up. i read it, it looks good.. i think
> i'm secure...
> however, there's nothing that i look at, that couldn't be forged/faked by
> you or i with the right web app knowledge...
Sure. But go to <https://www.verisign.com/> isntead.
> i understand that the 'ssl/lock' is a function of the browser and is
> supposed to be used to present details of the ssl certificate employed...
i
> also understand that the lock function is a component of the browser...
> however, this asumes the user knows to click on the 'lock'. if i were to
> provide a fake 'picture/icon' for the user to select, such that it
displayed
> the fake ssl information, in all likelyhood, the user wouldn't know the
> difference..
Um, this is a switch. Now you're asking: "How can I make all possible idiots
in the world know" rather than "How can *I* know". Obviously one has to know
about and use the browser's security features for this to work.
You (as a malicious website) can't provide a fake SSL icon, because you
don't control the frame of the web browser, just the page contents. If the
user is tricked by some graphic you've done up and put on the site, yeah,
not much to do about that.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list