On 10/04/2010 02:38 PM, Tom Hobbs wrote:
Isn't that the basic underpinning of secure web traffic?
Maybe I'm being overly simplistic, but if I browse to www.mybank.com a
security handshake happens and then anything that server sends me, be it
images, JavaScript, data etc, sends me I implicitly trust. If I log into
gmail.com or amazon.com or whatever, additional handshakes with those
(code)servers happens again.
If I get a service proxy from apache.org, then I can implicitly trust it.
If I download a service proxy from dodgyproxies.com, a site I've never
heard of before, then I shouldn't be suprised if it trashed my machine.
Exactly. And if you want to download anything from another place than
the original source, you have to trust the 'codeproxy' and add it to
your trustlist (for downloading). You still have to verify the code
against the trustlist for its certificate+codehash. It waters down the
guarantees a bit, but only for the part of the spent bytes from your
dataroaming plan. And maybe it would be wise to put that roque codeproxy
on your 'i will never trust them again' list.
Gr. Sim
