how can you verify that the site you get is not a fake?

Joel Jaeggli joelja at darkwing.uoregon.edu
Mon Jun 6 17:35:17 UTC 2005


On Mon, 6 Jun 2005, bruce wrote:

> and matt.. now you see the issue that i've been dealing with...
>
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...
>
> on a similar tip. if you lose your password.. what's a secure way to get the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)

why not? public-private encyrption is the right tool for a number of 
jobs... A better solution in the context of shell accounts at least is 
simply not to use passwords. when you create an account for someone. you 
have them generate dsa keypair they send you the public part in clear text 
email, you drop it in their ~/.ssh/authorized_keys they log in with the 
private half. no passwords went over the wire. A similar thing can be 
done with ssl webservers and client keys.

> any ideas/thoughts...
>
> -bruce
>
> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Matthew Miller
> Sent: Monday, June 06, 2005 6:54 AM
> To: For users of Fedora Core releases
> Subject: Re: how can you verify that the site you get is not a fake?
>
>
> On Mon, Jun 06, 2005 at 06:48:31AM -0700, bruce wrote:
>> matt, i unsderstand what you're saying...
>> but i still don't see how this protects/allows a user to 'know' that th
> site
>> he's on is the correct site...
>> as an example. i go to the verisign site (www.verisign.com) i can select
> the
>> verisign logo, which displays a pop-up. i read it, it looks good.. i think
>> i'm secure...
>> however, there's nothing that i look at, that couldn't be forged/faked by
>> you or i with the right web app knowledge...
>
> Sure. But go to <https://www.verisign.com/> isntead.
>
>> i understand that the 'ssl/lock' is a function of the browser and is
>> supposed to be used to present details of the ssl certificate employed...
> i
>> also understand that the lock function is a component of the browser...
>> however, this asumes the user knows to click on the 'lock'. if i were to
>> provide a fake 'picture/icon' for the user to select, such that it
> displayed
>> the fake ssl information, in all likelyhood, the user wouldn't know the
>> difference..
>
> Um, this is a switch. Now you're asking: "How can I make all possible idiots
> in the world know" rather than "How can *I* know". Obviously one has to know
> about and use the browser's security features for this to work.
>
> You (as a malicious website) can't provide a fake SSL icon, because you
> don't control the frame of the web browser, just the page contents. If the
> user is tricked by some graphic you've done up and put on the site, yeah,
> not much to do about that.
>
> --
> Matthew Miller           mattdm at mattdm.org        <http://www.mattdm.org/>
> Boston University Linux      ------>                <http://linux.bu.edu/>
> Current office temperature: 80 degrees Fahrenheit.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>

-- 
--------------------------------------------------------------------------
Joel Jaeggli  	       Unix Consulting 	       joelja at darkwing.uoregon.edu
GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2




More information about the users mailing list