Corey Edwards <[EMAIL PROTECTED]> writes:
> It's vulnerable to a non-ssl attack. Swap out the https login URL for
> one of your own devising. Then simply proxy all the https info to the
> user over your spoofed http connection. It would work against anybody
> who doesn't verify the cute little lock icon. Or use a self-signed cert
> and hope to catch somebody who would ignore the error, as most people
> would.
I never said it was totally secure, just that it wasn't vulnerable to
the particular attack. At least your version of an attack has several
(perhaps inconspicuous and oft-ignored) roadblocks that must be
ignored before it works.
--Levi
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
