[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: how can you verify that the site you get is not a fake?



On Mon, Jun 06, 2005 at 08:22:11AM -0700, bruce wrote:
> i was referring to the issue of anything sent via email that's not
> encrypted is 'weak'.. if you send a hashed passwd/data via email, along
> with a url for the user to link to, you're still in the same situation you
> have now.. some one could spoof your email and send it, changing the
> url...

No, it's slightly better than just sending the password, because even if the
message is intercepted, at least the victim will be aware that someone else
changed the password.


> it's obvious that i'm only interested in this problem/solution as it
> pertains to sites that require you to login (user/passwd) because the site
> has something of value... these are also the sites with the $$$ for a
> reasonable/good solution!

Someone else suggested using snail mail -- sending a reset token (again, not
a new password) this way is one approach. (The Vermont college savings plan
I just set up for my daughter uses this, for example.)

Again, it comees down to balancing risks. How important is convenience vs.
security?

-- 
Matthew Miller           mattdm mattdm org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>
Current office temperature: 80 degrees Fahrenheit.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]