"Steven M. Bellovin" wrote:
>
> The obvious protection is for users to check the certificate. Most users, of
> course, don't even know what a certificate is, let alone what the grounds are
> for accepting one. It would also help if servers used client-side
> certificates for authentication, since the man-in-the-middle can't spoof
> the user's certificate. But almost no servers do that.
The user doesn't need to check the certificate. Certificates for HTTP servers
contain the host name of the machine they certify. The web browser checks the
hostname in the certificate against the hostname in the URL. All the user must
do is check the hostname in the URL that is displayed on his screen.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before | [EMAIL PROTECTED]
transcending structure. -- The Tao of Programming |
