Downloading each new browser version using HTTPS (with the previous release)
would be advisable.
Nicolas Roumiantzeff.
-----Message d'origine-----
De : Harry Whitehouse <[EMAIL PROTECTED]>
À : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : mardi 16 novembre 1999 06:34
Objet : Question about Browser Authenticity
>This may be slightly off-topic, so let me apologize in advance.
>
>The SSL protocol requires that the client side (say a browser) use
>appropriate crypto to read the server's certificate and verify the
signature
>on the transmitted public key (using the public key of a trusted 3rd party
>such as Verisign).
>
>How can the user be certain that their browser (or other SSL3 client)
hasn't
>been compromised -- or that they have a roque version of the client --
which
>will go through the motions of authenticating the server but really not do
a
>proper job. The result being that the user *thinks* he/she has established
>a secure connection to the desired party, but in fact are connected to
>another site.
>
>Basically, the issue is how does one ensure (if possible!) that an internet
>client is using valid methods to verify server certificates?
>
>TIA
>
>Harry
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
