how can you verify that the site you get is not a fake?
Joel Jaeggli
joelja at darkwing.uoregon.edu
Mon Jun 6 17:27:34 UTC 2005
On Mon, 6 Jun 2005, bruce wrote:
> matt, i unsderstand what you're saying...
>
> but i still don't see how this protects/allows a user to 'know' that th site
> he's on is the correct site...
>
> as an example. i go to the verisign site (www.verisign.com) i can select the
> verisign logo, which displays a pop-up. i read it, it looks good.. i think
> i'm secure...
>
> however, there's nothing that i look at, that couldn't be forged/faked by
> you or i with the right web app knowledge...
No, that's the point, the cert is infeasible to forge.
> i understand that the 'ssl/lock' is a function of the browser and is
> supposed to be used to present details of the ssl certificate employed... i
> also understand that the lock function is a component of the browser...
> however, this asumes the user knows to click on the 'lock'. if i were to
> provide a fake 'picture/icon' for the user to select, such that it displayed
> the fake ssl information, in all likelyhood, the user wouldn't know the
> difference..
Social engineering is something that can only be prevent through
vigilance.
> -bruce
>
>
> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Matthew Miller
> Sent: Monday, June 06, 2005 6:16 AM
> To: For users of Fedora Core releases
> Subject: Re: how can you verify that the site you get is not a fake?
>
>
> On Mon, Jun 06, 2005 at 06:05:58AM -0700, bruce wrote:
>> but you still haven't addressed my problem/issue/question...
>> and that's how do i as a user (not an app) know that this is the right
>> site for the url i entered... my fear is that a malicious site, could
>> simply fake the information he's providing, to 'look' like the actual/real
>> site...
>> and as of yet.. i can't craft a solution to this issue...
>
> You could trust us that it's very hard to fake the SSL information, and then
> you could inspect that. (Double click on the little lock icon.) You'll see
> something like:
>
> Web Site Identity Verified
>
> The web site www.bu.edu supports authentication for the page you are
> viewing. The identity of this web site has been verified by Thawte
> Consulting cc, a certificate authority you trust for this purpose.
>
>
> In the Firefox advanced preferences, you can manage which certificate
> authorities you trust.
>
>
>
> --
> Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
> Boston University Linux ------> <http://linux.bu.edu/>
> Current office temperature: 80 degrees Fahrenheit.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
--
--------------------------------------------------------------------------
Joel Jaeggli Unix Consulting joelja at darkwing.uoregon.edu
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
More information about the fedora-list
mailing list