> Tyler Close wrote: > >> Consider the case where I come across a new SSL site for an online >> entity. The site is interesting, so I create a new account and >> simultaneously assign a petname. From that moment forward, I know that >> I am interacting with the same site I first created the account with. >> Now, if the thing of value is my password, what does it mean to say >> the initial connection was spoofed? Who was it that I found >> interesting? > > You're making the assumption the only people that find value in > information are phishing attacks, what I'm suggesting is that other > entities also find value in it and while preventing one vector, you're > not covering other vectors of attack, such as a company proxy server > intercepting all SSL traffic. I don't know about you but I'd rather not > have companies I work for, or overarching governments that think they > have a right to know every tiny piece of information about me, the most > obvious of course is the Chinese governments great firewall of china...
toolbars that record the SSL cert (such as trustbar.m.o and petname.m.o) easily cover the great firewall of China (love that name!) because that's all they show: that you cert is the GFWC. If you go to your bank it says "China" and if you go to your webmail it says "China" ... in fact it always says China, so you know just what protection you are being given: the best the Chinese can give you :-) It's perhaps wrong to say that these things protect you; what they really do is point out when your protection model has been fiddled. > In which case neither blindly accepting fingerprints or petnames will > actually prove you're talking directly to the server you think you are... The point of this is to show that you are *not* talking to who you thought you were, not the other way around. This isn't binary logic... iang _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
