On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote: > The client should alway be logging > in on their website for I hope they reallize if they where not on their > website.
I'm not sure if you understood or not, but my point was that a man-in-the-middle could make it look exactly like they were on their own site. He could simply replace the target URL on the form to point to his own site. (If you checked the URL-bar, you might see after-the-fact that you had gone to the wrong site. But the data would already be stolen.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
