Jaqui Greenlees wrote:
yes. I remove all ca's, and rebuild the list only for those SITES where I trust the site owners ( not cert authority at all, as they only issue certs for money. it has to be for sites not authorities )
so, instead of including a ca list, let end user build a list of trusted sites.
How do you know you aren't being subjected to a MITM attack at the time you add the cert of each site?
Gerv
I only accept / use 5 different sites.
I know which ca, and what each cert contains.
I read each cert before going through any transaction when rebuilding the list.
if there are changes, I verify through the company that owns the site before proceding.
while most people are more accepting, and use more sites for purchases, which makes that depth of knowledge for all sites problematical, it works for me. :)
most ferquently, I snail mail an international money order to the company, and don't order online.
but as long as cets are issued for a fee only, no real regulation for standards, no ca is really trusted. the company you wish to purchase from, is more likely a "trusted" entity.
one friend of mine won't purchase online, he will phone the company and do transactions with credit card over the phone instead. he had one time problem with a site charging more than he bought to his card. turns out that the site in question didn't secure the order data, but once burned twice shy.
I kow one company that almost stopped thier online store, as there were to many fraudulent cards being used in thier store, the chargebacks and penalties were killing them.
Jaqui _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
