[H-GEN] https + apache
Michael Anthon
michael at anthon.net
Fri Jul 18 23:20:09 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Sat, 19 Jul 2003 12:26:17 +1000, Russell Stuart <russell at stuart.id.au>
wrote:
> More to the point, the client (ie the browser) doesn't use the cert to
> verify the merchant is who the user thinks it is. Consider a recent
> scam where someone created web pages that looked like a banks.
> Then they tricked users into going to those pages, and then into handing
> over their bank account numbers and pins. The only point of having a
> cert within SSL is to protect against this type of attack.
> But it doesn't. It is, as far as I can tell, a total waste of time,
> money and CPU cycles.
Yes, well, that is probably more to do with education of the users than
anything else. Whenever you do financial transactions on the web you
should always double check the hostnames on the sites you are using. As
far as my understanding of SSL goes then "correct" way to do this would be
for the banks to issue client certificates to their users but this is
probably too hard for the banks to manage (and for stupid customers to
understand which is probably more to the point).
WRT to your suggestion of a one time acceptance, that's actually a pretty
sensible idea. As you mention it works well enough for SSH.
Cheers,
Michael
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list