On Wednesday 18 May 2005 10:15, Duane wrote: > Ian G wrote: > > Now, it may be said that SSL simply doesn't cover those, > > which is fair, but security is an overall equation, which > > means that unless the really big holes are covered, > > there is no point in worrying too much about the small > > holes. > > Ummm 1 little problem here, if you remove the pop-ups, you increase the > risk of someone making a certificate for "*", or even better yet, remove > SSL altogether and have someone acting as a proxy, sure they may not > listen on an open connection, but if you're able to proxy the data it's > almost as easy...
You are absolutely right - one little problem. Yes, you can do all these things. The question is whether a rational, economically calculating crook would do this. As it turns out, not likely. List out your threats. Then validate them - measure them. Make sure they are actually present and causing damage before spending a dime on protecting against them. iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
