Ian G wrote: > On Wednesday 18 May 2005 10:15, Duane wrote: > >>Ian G wrote: >> >>>Now, it may be said that SSL simply doesn't cover those, >>>which is fair, but security is an overall equation, which >>>means that unless the really big holes are covered, >>>there is no point in worrying too much about the small >>>holes. >> >>Ummm 1 little problem here, if you remove the pop-ups, you increase the >>risk of someone making a certificate for "*", or even better yet, remove >>SSL altogether and have someone acting as a proxy, sure they may not >>listen on an open connection, but if you're able to proxy the data it's >>almost as easy... > > > You are absolutely right - one little problem. Yes, > you can do all these things. The question is whether > a rational, economically calculating crook would do > this. As it turns out, not likely. > > List out your threats. Then validate them - measure > them. Make sure they are actually present and causing > damage before spending a dime on protecting against > them.
How about I do just that... This is just a couple of things from the past week or so... Report just out on sys admin insider attacks, up to 1/3rd have been in prison... Google's proxy system managed to let the website people were visiting already think they were logged on under someone else's user ID. Yup, no problem here at all we should be protecting against... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
