Duane wrote:
Frankly I'd be more worried about domain hijacking, how many large ISPs have the ability to point bankingsite.com to another location if their DNS server was compromised, further more how many end users would notice the lock was missing as they entered their banking details into the site?
Person I knew doing an security audit for a bank did just that to a major ISP here in Australia, and after they went to what they thought was the banks login page it just had a simple notice, sorry online banking is currently down, please try again later. Within an hour had I think over 9,000 or 10,000 login details for that bank. No SSL, just a simple DNS redirect and he didn't even have access to the banks name server, he didn't need it.
That's a good story - you should write it up!
Can you ask your mate
a) how many connections came in but
didn't pursue / users didn't enter
their details, and b) how many people complained / notified
/ otherwise thought that something was
fishy?These would be very very useful statistics, and would enable developers to better understand the user base that we are dealing with.
iang
PS: I did have a much longer reply, but, ominously, thunderbird decided to crash and take it away... _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
