[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: how can you verify that the site you get is not a fake?



On Mon, Jun 06, 2005 at 07:36:04AM -0700, bruce wrote:
> and matt.. now you see the issue that i've been dealing with...
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...

I think it'd help a lot if you'd clarify exactly who you're trying to help,
here. All visitors to a general-interest web site? Your customers? All
employees of a business, or other members of your own organization?


> on a similar tip. if you lose your password.. what's a secure way to get the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)

The method you describe is one of the poorer current methods. A slightly
better one sends a hashed URL to the e-mail on record, and if you then go to
that site, you can set a new password. Still somewhat weak, but at least the
actual password isn't going in plain text -- and presumably, if someone else
changes your password by intercepting the mail, you'll at least know about
it.


[ps: it'd make this conversation go easier if you could not top post --
thanks!]

-- 
Matthew Miller           mattdm mattdm org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]