On 5/13/05, Jaqui Greenlees <[EMAIL PROTECTED]> wrote: > Gervase Markham wrote: > > Jaqui Greenlees wrote: > > > >> yes. I remove all ca's, and rebuild the list only for those SITES > >> where I trust the site owners ( not cert authority at all, as they > >> only issue certs for money. it has to be for sites not authorities ) > >> so, instead of including a ca list, let end user build a list of > >> trusted sites. > > > > > > How do you know you aren't being subjected to a MITM attack at the time > > you add the cert of each site? > > > > Gerv > > I only accept / use 5 different sites. > I know which ca, and what each cert contains. > I read each cert before going through any transaction when rebuilding > the list. > if there are changes, I verify through the company that owns the site > before proceding.
If I hand you a passport and you will look at me and realize that you've not seen me before (probably not anyway) now if you look in the passport and it has all the information about someone you know and that that information is accurate you still won't believe it. When you visti a website and check that the certificate contains information that matches the site you want to be visiting, how do you know the ID is not a fake? (SSL only assures you that the certificate presented was presented by the entity on the other of the connection and usually that the data is encrypted between you and that entity - whoever it is.) > while most people are more accepting, and use more sites for purchases, > which makes that depth of knowledge for all sites problematical, it > works for me. :) I agree with your general concern but I think your approach is over the top. I keep all the roots that were shipped with my browser in my browser. Anytime I'm doing something I'm concerned about in terms of data exchange I examine the contents of the site's certificate and I evalute the reputation and policies of the CA that issued it. I don't trust every CA but I surely wouldn't ignore whatever authentication they do. > I kow one company that almost stopped thier online store, as there were > to many fraudulent cards being used in thier store, the chargebacks and > penalties were killing them. This is totally valid. This is totally unrelated to validating a server's identity. The solution here to to find a payment processeor / payment gateway provider that offers fraud protection by screening. A good payment fraud screening service can eliminate the majority of credit card fraud that online merchants not using fraud screening services are susceptible to; a good fraud screening service will pay for itself every month (it will be a net savings not a cost) and can provide you reports to demonstrate it. The downside is that while you may eliminate most of your fraud you will also have some restrictions on what kinds of requests you can service (perhaps you not be accept payments with a credit card from one country and ship the product to another - or whatever are the most helpful screens). _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
