Re: New toy: SSLbar

2003-07-02 Thread mister_lee
Adam Fields said: On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote: Regarding the usefulness of SSLbar itself, its immediate purpose was fingerprint display, as a (theoretically) easy means of checking a cert't validity yourself, ... Maybe this is a stupid question, but exactly how

Re: New toy: SSLbar

2003-07-02 Thread James A. Donald
-- On 2 Jul 2003 at 6:04, [EMAIL PROTECTED] wrote: If you can't get/verify the fingerprint at least once via another channel, you can't use SSLbar to verify the cert. About the best you can do is ensure that you're seeing the same fingerprint every time you visit the site. In practice,

Re: New toy: SSLbar

2003-07-02 Thread Barney Wolff
On Wed, Jul 02, 2003 at 11:05:08AM -0700, James A. Donald wrote: In practice, if people were able to ensure they saw the same cert every time they hit what is purportedly the same site, this would take out most scams. What's wrong with the ssh known-hosts approach, for this? Do sites change

Re: New toy: SSLbar

2003-06-30 Thread Adam Fields
On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote: Regarding the usefulness of SSLbar itself, its immediate purpose was fingerprint display, as a (theoretically) easy means of checking a cert's validity yourself, rather than relying on a third party signing. That list of

Re: New toy: SSLbar

2003-06-26 Thread Mister Lee
Steven M. Bellovin wrote: Please don't take this personally... None taken here either, and I'm the author :) From a security point of view, why should anyone download any plug-in from an unknown party? In this very specific case, why should someone download a a plug-in that by its own

Re: New toy: SSLbar

2003-06-25 Thread Pete Chown
Steven M. Bellovin wrote: From a security point of view, why should anyone download any plug-in from an unknown party? In this very specific case, why should someone download a a plug-in that by its own description is playing around in the crypto arena. I think this is a problem for all open

Re: New toy: SSLbar

2003-06-25 Thread Ian Grigg
Steven M. Bellovin wrote: Please don't take this personally... None taken here, and I doubt that the author of the tool (who has just joined this list it seems) would take any! From a security point of view, why should anyone download any plug-in from an unknown party? In this very specific

Re: New toy: SSLbar

2003-06-25 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ian Grigg writes: Also, to impune the plug-in arrangement is to impune all plug-ins, and to impune the download from an unknown is to impune all downloads from unknowns. Sounds about right... ... I.e., download this fantastic tool which just so annoyingly

Re: New toy: SSLbar

2003-06-25 Thread Andy Isaacson
On Wed, Jun 25, 2003 at 12:02:39PM +0100, Pete Chown wrote: On the other hand, once a back door is installed in binary-only software, it is much less likely to be found. The Interbase back door was only found when the source was opened. I doubt the truth of this statement. Certainly, the

New toy: SSLbar

2003-06-24 Thread Steve Schear
It's a toolbar for Mozilla (and related web browsers) that automatically displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit an SSL secured web site. You could of course click the little padlock icon and dig through a couple of dialogs to see it, but it's much easier when

Re: New toy: SSLbar

2003-06-24 Thread Steven M. Bellovin
It's a toolbar for Mozilla (and related web browsers) that automatically displays the SHA1 or MD5 fingerprint of the SSL certificate when you visit an SSL secured web site. You could of course click the little padlock icon and dig through a couple of dialogs to see it, but it's much easier