how can you verify that the site you get is not a fake?
bruce
bedouglas at earthlink.net
Mon Jun 6 15:22:11 UTC 2005
matt..
i was referring to the issue of anything sent via email that's not encrypted
is 'weak'.. if you send a hashed passwd/data via email, along with a url for
the user to link to, you're still in the same situation you have now.. some
one could spoof your email and send it, changing the url...
it's obvious that i'm only interested in this problem/solution as it
pertains to sites that require you to login (user/passwd) because the site
has something of value... these are also the sites with the $$$ for a
reasonable/good solution!
-bruce
-----Original Message-----
From: fedora-list-bounces at redhat.com
[mailto:fedora-list-bounces at redhat.com]On Behalf Of Matthew Miller
Sent: Monday, June 06, 2005 8:02 AM
To: For users of Fedora Core releases
Subject: Re: how can you verify that the site you get is not a fake?
On Mon, Jun 06, 2005 at 07:36:04AM -0700, bruce wrote:
> and matt.. now you see the issue that i've been dealing with...
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...
I think it'd help a lot if you'd clarify exactly who you're trying to help,
here. All visitors to a general-interest web site? Your customers? All
employees of a business, or other members of your own organization?
> on a similar tip. if you lose your password.. what's a secure way to get
the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that
email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)
The method you describe is one of the poorer current methods. A slightly
better one sends a hashed URL to the e-mail on record, and if you then go to
that site, you can set a new password. Still somewhat weak, but at least the
actual password isn't going in plain text -- and presumably, if someone else
changes your password by intercepting the mail, you'll at least know about
it.
[ps: it'd make this conversation go easier if you could not top post --
thanks!]
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list