RE: how can you verify that the site you get is not a fake?
From: Joel Jaeggli (joelja_at_darkwing.uoregon.edu)
Date: 06/06/05
- Previous message: Michael Yep: "Re: / partition full root user also not able to write anything to disk"
- In reply to: bruce: "RE: how can you verify that the site you get is not a fake?"
- Next in thread: Scot L. Harris: "RE: how can you verify that the site you get is not a fake?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 6 Jun 2005 10:27:34 -0700 (PDT) To: bedouglas@earthlink.net, For users of Fedora Core releases <fedora-list@redhat.com>
On Mon, 6 Jun 2005, bruce wrote:
> matt, i unsderstand what you're saying...
>
> but i still don't see how this protects/allows a user to 'know' that th site
> he's on is the correct site...
>
> as an example. i go to the verisign site (www.verisign.com) i can select the
> verisign logo, which displays a pop-up. i read it, it looks good.. i think
> i'm secure...
>
> however, there's nothing that i look at, that couldn't be forged/faked by
> you or i with the right web app knowledge...
No, that's the point, the cert is infeasible to forge.
> i understand that the 'ssl/lock' is a function of the browser and is
> supposed to be used to present details of the ssl certificate employed... i
> also understand that the lock function is a component of the browser...
> however, this asumes the user knows to click on the 'lock'. if i were to
> provide a fake 'picture/icon' for the user to select, such that it displayed
> the fake ssl information, in all likelyhood, the user wouldn't know the
> difference..
Social engineering is something that can only be prevent through
vigilance.
> -bruce
>
>
> -----Original Message-----
> From: fedora-list-bounces@redhat.com
> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Matthew Miller
> Sent: Monday, June 06, 2005 6:16 AM
> To: For users of Fedora Core releases
> Subject: Re: how can you verify that the site you get is not a fake?
>
>
> On Mon, Jun 06, 2005 at 06:05:58AM -0700, bruce wrote:
>> but you still haven't addressed my problem/issue/question...
>> and that's how do i as a user (not an app) know that this is the right
>> site for the url i entered... my fear is that a malicious site, could
>> simply fake the information he's providing, to 'look' like the actual/real
>> site...
>> and as of yet.. i can't craft a solution to this issue...
>
> You could trust us that it's very hard to fake the SSL information, and then
> you could inspect that. (Double click on the little lock icon.) You'll see
> something like:
>
> Web Site Identity Verified
>
> The web site www.bu.edu supports authentication for the page you are
> viewing. The identity of this web site has been verified by Thawte
> Consulting cc, a certificate authority you trust for this purpose.
>
>
> In the Firefox advanced preferences, you can manage which certificate
> authorities you trust.
>
>
>
> --
> Matthew Miller mattdm@mattdm.org <http://www.mattdm.org/>
> Boston University Linux ------> <http://linux.bu.edu/>
> Current office temperature: 80 degrees Fahrenheit.
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Michael Yep: "Re: / partition full root user also not able to write anything to disk"
- In reply to: bruce: "RE: how can you verify that the site you get is not a fake?"
- Next in thread: Scot L. Harris: "RE: how can you verify that the site you get is not a fake?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
