David Woolley <[EMAIL PROTECTED]>: >> Is the average lynx user gong to need to know all of this esoteric stuff >> to access SSL sites? > > If you are referring to my article, this is one of the great weaknesses > of SSL on the web; people don't understand it and therefore are not > getting the level of security that they think they are getting.
correct. and i think understanding a "trustmodel" is not esoteric. SSLs trustmodel has root-certificates at the top, which are used to sign certificates one level down, and those are used to sign certificates again one level down, until the one server you connect to presents his certificate. lynx can check the signatures on this particular certificate to make sure there's a complete chain from the roots down. there are other such models, eg. the "web of trust" like implemented in PGP. there users can specify themselves who they trust to what extent, and the web-of-trust has no central authority. > Really, with security, a little knowledge is a dangerous thing, and I > suspect that many people, if they really understood the trust structures > associated with SSL, would be rather careful about checking the details > of certificates. nothing to add here :) > One major company even issued a Microsoft certificate to a company other > than Microsoft, and there had to be a Windows critical update to block > that certificate. and i bet most m$ products installed would still trust that bogus certificate! clemens ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
