Re: once more, with feeling.

2008-09-18 Thread Peter Gutmann
Dirk-Willem van Gulik [EMAIL PROTECTED] writes: As to technical options to accomplish this The mechanisms for this actually already exist, they're just not used. First of all, you need to admit that you have a problem: SSL certs by themselves are more or less useless in providing assurance, the

Cookie Monster

2008-09-18 Thread EMC IMAP
Yet another web attack: http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/ Apparently, this one was found and described over a year ago by Mike Perry, who decided to release all the details when there was no significant followup. (Sidejacking was announced at about the same

Re: once more, with feeling.

2008-09-18 Thread Darren J Moffat
Dirk-Willem van Gulik wrote: ... discussion on CA/cert acceptance hurdles in the UI I am just wondering if we need a dose of PGP-style reality here. We're really seeing 3 or 4 levels of SSL/TLS happening here - and whilst they all appear use the same technology - the assurances, UI,