Tyler Close wrote: > Consider the case where I come across a new SSL site for an online > entity. The site is interesting, so I create a new account and > simultaneously assign a petname. From that moment forward, I know that > I am interacting with the same site I first created the account with. > Now, if the thing of value is my password, what does it mean to say > the initial connection was spoofed? Who was it that I found > interesting?
You're making the assumption the only people that find value in information are phishing attacks, what I'm suggesting is that other entities also find value in it and while preventing one vector, you're not covering other vectors of attack, such as a company proxy server intercepting all SSL traffic. I don't know about you but I'd rather not have companies I work for, or overarching governments that think they have a right to know every tiny piece of information about me, the most obvious of course is the Chinese governments great firewall of china... In which case neither blindly accepting fingerprints or petnames will actually prove you're talking directly to the server you think you are... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
