On Fri, Jun 13, 2003 at 04:32:12PM -0700, Bill Stewart wrote:
An e-gold-specific or paypal-specific client can tell,
because it can remember that it's trying to see the real thing,
but the browser can't tell, except by bugging you about
Hi, this is a new site that's giving us a new cert
Steven M. Bellovin wrote:
Let me point folk at http://www.securityfocus.com/news/5654
for a related issue. To put it very briefly, *real* authentication is
hard.
It may be that real authentication is hard, but the unbelievably sloppy
practices of domain name registrars doesn't prove the case.
Matt Crawford [EMAIL PROTECTED] writes:
... Netscrape ind Internet Exploder each have a hack for
honoring the same cert for multiple server names. Opera seems to honor at
least one of the two hacks, and a cert can incorporate both at once.
At 03:38 PM 6/11/03 -0600, Anne Lynn Wheeler wrote:
even before e-commerce, the real
BBB process was that people called up the BBB and got realtime information
i.e. it was an online, realtime process.
the equiivalent for an online, internet paradigm (as opposed to something
left over
At 05:34 PM 6/11/2003 -0700, David Honig wrote:
When I buy $20 of gas with non-bearer credentials (ie, credit card),
the vendor does a real-time check on me. Seems fair/useful to be able
to do same on them. I suppose eBay's feedback suffices... if their
last N feedbacks are negative, I might go
--- James A. Donald [EMAIL PROTECTED] wrote:
--
On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
Let me point folk at http://www.securityfocus.com/news/5654
for a related issue. To put it very briefly, *real*
authentication is hard.
I don't think so.
Verisign's
IE checks the server name against each CN's individually.
I found that by experimentation too. I have VBScript sample on how to generate
such a CSR request for IIS using the CryptoAPI.
Furthermore, IE does not care if the CNs have different domains.
e.g.
Sunder [EMAIL PROTECTED] writes:
The worst trouble I've had with https is that you have no way to use host
header names to differentiate between sites that require different SSL
certificates.
i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and
have individual ssl
At 10:56 AM 6/11/2003 -0400, Sunder wrote:
In either case, we wouldn't need to worry about paying Verisign or anyone
else if we had properly secured DNS. Then you could trust those pop-up
self-signed SSL cert warnings.
actually, if you had a properly secured DNS then you could trust DNS
to
somewhat related to the early posting in this m.l. about distributed
computing systems conference and possible interest from security and
cryptography sections.
when my wife and I were doing ha/cmp
http://www.garlic.com/~lynn/subtopic.html#hacmp
we were working with two people in the following
At 5:12 PM -0700 6/8/03, Anne Lynn Wheeler wrote:
somebody (else) commented (in the thread) that anybody that currently
(still) writes code resulting in buffer overflow exploit maybe should be
thrown in jail.
A nice essay, partially on the need to include technological protections
against human
Yes, NOW if you can load yourself into kernel space, you can do anything
and everything - Thou Art God to quote Heinlein. This is true of every
OS. Except if you add that nice little TCPA bugger which can verify the
kernel image you're running is the right and approved one. Q.E.D.
Look at the
At 02:55 PM 6/8/2003, James A. Donald wrote:
Attached is a spam mail that constitutes an attack on paypal similar
in effect and method to man in the middle.
The bottom line is that https just is not working. Its broken.
The fact that people keep using shared secrets is a symptom of https
not
At 11:43 PM 6/8/2003 +0100, Dave Howe wrote:
HTTPS works just fine.
The problem is - people are broken.
At the very least, verisign should say ok so '..go1d..' is a valid server
address, but doesn't it look suspiously similar to this '..gold..' site over
here? for https://pseudo-gold-site/ - but
in a world where there are repeated human mistakes/failures
at some point it is recognized that people aren't perfect and the design
is changed to accommodate peoples foibles. in some respects that is what
helmets, seat belts, and air bags have been about.
The problem is here, we are
15 matches
Mail list logo
