how can you verify that the site you get is not a fake?
Matthew Miller
mattdm at mattdm.org
Mon Jun 6 15:40:40 UTC 2005
On Mon, Jun 06, 2005 at 08:22:11AM -0700, bruce wrote:
> i was referring to the issue of anything sent via email that's not
> encrypted is 'weak'.. if you send a hashed passwd/data via email, along
> with a url for the user to link to, you're still in the same situation you
> have now.. some one could spoof your email and send it, changing the
> url...
No, it's slightly better than just sending the password, because even if the
message is intercepted, at least the victim will be aware that someone else
changed the password.
> it's obvious that i'm only interested in this problem/solution as it
> pertains to sites that require you to login (user/passwd) because the site
> has something of value... these are also the sites with the $$$ for a
> reasonable/good solution!
Someone else suggested using snail mail -- sending a reset token (again, not
a new password) this way is one approach. (The Vermont college savings plan
I just set up for my daughter uses this, for example.)
Again, it comees down to balancing risks. How important is convenience vs.
security?
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.
More information about the fedora-list
mailing list