how can you verify that the site you get is not a fake?

Matthew Miller mattdm at mattdm.org
Mon Jun 6 12:31:39 UTC 2005


On Sun, Jun 05, 2005 at 09:26:17PM -0700, bruce wrote:
> ssl certs don't allow you, the user to know if you're at the right site!!
> unless it's not possible to fake the information returned by the server to
> the client. i suspect that the information stream is easily faked...

Since it uses reasonably strong cryptography, no, it's not too easy to do
that.

> my question.. how do you know that paypal.com.. ia actually paypal.com
> (paypal), and not a carefuly crafted fake!

How do you "know" anything? It all comes down to levels of trust. An SSL
certificate signed by a known authority is pretty good -- I don't know of
any cases where that's been subverted.

-- 
Matthew Miller           mattdm at mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.




More information about the fedora-list mailing list