On Wed, Oct 06, 1999 at 06:28:45PM -0700, Greg Broiles wrote:
> This deserves further explanation. In order to begin an SSL session, the
> server must present its public key and its site certificate to the client.
I think you're missing the point of the article. The issue is, what
happens when the imposter site simply doesn't use SSL?
It looks perfectly normal, like the thousands of other sites out there
that don't use SSL.
The "Location:" field shows http instead of https. How many people
would think twice about seeing "http://" in the Location field?
The little lock icon in the lower left corner of Netscape stays
unlocked, like it does 99% of the time. You wouldn't notice unless
you're savvy and alert enough to specificly check for it.
The only warning message that might appear is the "You are submitting
a form insecurely" dialog. But with all of the web forms out there
(search engines, web-based email, useless chrome, etc) that dialog is
quickly disabled on many systems- I'd bet nearly all of them.
No warnings about certificates because there just aren't any
certificates to warn about.
Anybody who doesn't make a point of ritualisticly checking security
information would likely be taken in.
