On Sunday 19 June 2005 19:36, Heikki Toivonen wrote:
Duane wrote:
In the end they decided to try it and now they enter the website address
of their bank each time (they don't use bookmarks or click on links in
emails) to make sure they connect to the right site each time. So
So for them
On Sunday 19 June 2005 16:51, Amir Herzberg wrote:
Hi, I noted that Citibank changed their login form at
http://CitiBank.com. It now points you at the site:
I followed the above to this:
http://CitiBank.com/us/index.htm
then clicked on * sign on to get to this:
https://web.da-us.citibank.com/
On Sunday 19 June 2005 16:17, Ian G wrote:
On Sunday 19 June 2005 16:51, Amir Herzberg wrote:
Hi, I noted that Citibank changed their login form at
http://CitiBank.com. It now points you at the site:
I followed the above to this:
http://CitiBank.com/us/index.htm
then clicked on * sign
On Saturday 18 June 2005 22:22, Heikki Toivonen wrote:
Ka-Ping Yee wrote:
The important question is not whether there is effort involved but
whether the amount of effort is reasonable and worth it.
The thing is, even minimal effort when the perceived threat/payback is
nil is too much. If
On this thread [EMAIL PROTECTED] said to me:
One quick comment (I will likely respond in more detail later) - SSL V2
should now be off across our entire complex. If you know of any cases
where we have specific servers that are still accepting V2 connections,
please can you let me
On Tuesday 14 June 2005 03:10, Tyler Close wrote:
Hi Heikki,
On 6/13/05, Heikki Toivonen [EMAIL PROTECTED] wrote:
and are willing to pay for the chrome real estate it takes.
I don't understand this complaint. The petname tool is *tiny*. It's
just a text field.
I've been thinking about
On Wednesday 08 June 2005 23:22, Heikki Toivonen wrote:
Ian G wrote:
I've previously looked at the pages on /security/ for
guidance and not found a way forward. I think we
need more help from Mozilla in how to deal with this.
This page speaks about the security bug group. Now
in my
On Thursday 09 June 2005 00:16, Gervase Markham wrote:
Ian G wrote:
OK, so I hope you don't mind but I have to suggest
that this approach is a mistake, IMO. What is required
here is experimentation. Move forward and if it fails then
rip it out and say sorry. So what? It's hardly
Hello David,
On Wednesday 08 June 2005 14:44, L. David Baron wrote:
On Wednesday 2005-06-08 14:30 +0100, Ian G wrote:
So here's the question:
Who's dealing with phishing in Mozilla?
Discussion below, ending in the question.
On Tuesday 07 June 2005 03:11, Tyler Close wrote:
I've
On Wednesday 08 June 2005 16:38, Mike Shaver wrote:
Ian G wrote:
Petname hasn't to my knowledge any testing done
in a proper sense on naive users. Trustbar has,
and it shares the same roots in security theory. The
results were positive, although the tests were done
in small numbers
On Wednesday 08 June 2005 07:21, Heikki Toivonen wrote:
http://petname.mozdev.org/
I briefly checked it out. It is certainly interesting. It looks like a
variation of the theme where users and the browser share a common secret
(in this case user written text, in some other proposal user
On Wednesday 01 June 2005 19:01, Gervase Markham wrote:
Duane wrote:
This is especially important for web related uses
as you could also send the hostname you wanted to connect to before
doing the handshaking, which means if a server has 50 certificates to
choose from, and you send a
On Saturday 28 May 2005 02:14, Tyler Close wrote:
On 5/27/05, Ian G [EMAIL PROTECTED] wrote:
And, both petname and trustbar were roundly rejected
by the Mozilla security community. Strike two.
My understanding was that no one on this list has the authority to
introduce a new tool
On Saturday 28 May 2005 11:46, Duane wrote:
Ian G wrote:
The free toolbar, released Tuesday, was downloaded more than 60,000
times within hours of its release, according to Netcraft Internet
Services Developer Paul Mutton.
Actually I meant to comment on this specifically before
On Friday 27 May 2005 06:04, Nelson B wrote:
Duane wrote:
Ian G wrote:
Firefox users snap up Netcraft's antiphishing toolbar
Netcraft's toolbar blocks access to reported phishing sites
I grabbed it, tried it and promptly uninstalled it based on how much
information was leaking like
Thanks to you all for taking the time for discussing this.
Earlier, Nelson said:
... I imagine you see it as another
for your growing list of potentially fatal PKI flaws.
Yes, it is important to get the case down in writing,
as future designers and architects need to learn
the lessons of the
http://www.infoworld.com/article/05/05/26/HNfirefoxnetcraft_1.html
Firefox users snap up Netcraft's antiphishing toolbar
Netcraft's toolbar blocks access to reported phishing sites
By Scarlet Pruitt, IDG News Service
May 26, 2005
Users of the Firefox Web browser have been flocking to
On Friday 27 May 2005 01:21, Duane wrote:
Ian G wrote:
Firefox users snap up Netcraft's antiphishing toolbar
Netcraft's toolbar blocks access to reported phishing sites
I grabbed it, tried it and promptly uninstalled it based on how much
information was leaking like a submarine
On Wednesday 25 May 2005 19:14, Anne Lynn Wheeler wrote:
Nelson B [EMAIL PROTECTED] writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
I think not said Descartes, who promptly vanished.
the original scenario was that
On Wednesday 25 May 2005 20:27, Julien Pierre wrote:
By signing a CRL that does not include a particular cert's serial
number, or by signing an OCSP response that says this cert's serial
number is still valid, a CA makes the statement that the cert in
question is not revoked.
Surely not!
On Tuesday 24 May 2005 14:05, Jean-Marc Desperrier wrote:
Julien Pierre wrote:
I'm saying the standard defines no way to revoke a lost CA root, because
it doesn't make sense. When a root is compromised, there is no PKI
standard that can fix this.
To be precise, the standard says that path
On Saturday 21 May 2005 00:41, Julien Pierre wrote:
Ian,
Ian G wrote:
But OCSP/CRL can not help in case of *root* cert compromission.
There's nothing above it to sign the validity information.
Can't it revoke itself?
This is priceless and one for the books. This statement shows that you
On Saturday 21 May 2005 17:46, Ram A Moskovitz wrote:
If a root key is compromised and a certificate status server responds as
such the only way to undo the revocation is for the bad guy with the
private-key to prevent access to the responder, or spin up a new one which
answers differently
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an _extremely_ big deal.
But OCSP/CRL can not help in case of
On Wednesday 18 May 2005 07:24, Nelson B wrote:
Ian G wrote:
In practice, sites see HTTPS as a cost, and a barrier. It doesn't
provide any protection that they *need* although this might be
less true in the future and for big sites.
So, you're saying they don't need encryption
List out your threats. Then validate them - measure
them. Make sure they are actually present and causing
damage before spending a dime on protecting against
them.
How about I do just that... This is just a couple of things from the
past week or so...
Report just out on sys admin
On Monday 16 May 2005 08:03, Michael Vincent van Rantwijk wrote:
Duane wrote:
http://computerworld.co.nz/news.nsf/UNID/FCC8B6B48B24CDF2CC2570020018FF73
?OpenDocumentpub=Computerworld
Up to 300 BankDirect customers were presented with a security alert when
they visited the bank's website
On Sunday 15 May 2005 04:14, Anthony G. Atkielski wrote:
Ian G writes:
By way of comparison, in the same time frame,
my company chose Java for desktop clients for
security reasons, and even though our result is
much more secure and robust, we can't get people
to install Java without
On Saturday 14 May 2005 13:03, Anthony G. Atkielski wrote:
Jaqui Greenlees writes:
any extention to a browser should by default be marked as insecure.
or the developers of the browser could be held liable for damages for
not marking it as such.
( flash included )
I agree. And they
On Thursday 12 May 2005 05:17, Anthony G. Atkielski wrote:
Jean-Marc Desperrier writes:
Altenate solution : An established list of tier 1 essential extensions
that you can trust fully for that level of attention.
If they are essential, they should not be extensions.
Perhaps routine
On Thursday 12 May 2005 06:19, Duane wrote:
Actually the funniest thing was said the other day, Mark Shuttleworth
came out and said the root certificate for Thawte was kept in his
underpants draw for the first 2 years of operation. Needless to say the
audience was in stitchs over that one...
On Thursday 12 May 2005 13:28, Duane wrote:
Ian G wrote:
The most important thing that the browser UI
can do is to promote more SSL. If twice as
many people use SSL but it has a slight
vulerability, that's much better than perfect
system that is only used by half as many.
I agree
On Tuesday 10 May 2005 18:09, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
As an example (and I don't know of anyone who is actually suggesting
this), what if we made all CAs who issued non-zero accountability certs
post a $1,000,000 bond against losses from phishing attacks performed
On Wednesday 11 May 2005 02:05, Ram A Moskovitz wrote:
Gerv, are you or MF required to sign an NDA of anykind to attend?
A good point! And one that shouldn't have needed to
be asked, but given recent revelations about Mofo's
private revenue arrangements (for good or for bad), I
guess this is
Frank Hecker wrote:
Gervase Markham wrote:
Have I missed something, or is the Security tab missing from the Page
Info dialog in Firefox 1.0.x? Is there any way to see the contents of
the cert securing the site you are on?
I just tested this on Firefox 1.0.3 for both Windows XP and OS X against
Frank Hecker wrote:
I thought this was interesting:
http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369
The basic summary: AOL will try to block AOL members' attempts to
connect to phishing sites, using a blacklist of suspected phishing sites
provided by Cyota
Nigel McFarlane wrote:
Microsoft does not support the web.
Microsoft knows all this and wants to sell products.
The way to sell products to the web sector is to have
an alternative that's better than the web.
Relevant here, the mark of the web is just one way that Microsoft
can clearly
Jaqui Greenlees wrote:
Peter Gutmann wrote:
You can see where the magic-numbers problem has lead with the magic
number
128. Provided that you mention this magic number somewhere in your
marketing literature, your product will be regarded as secure no
matter how
bad it is in practice.
~snip~
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means the best available.
Michelen stars would be a perfect example.
The users would see the michelin man, and
the
Nelson B wrote:
[here I have snipped an old message of mine that says that SSL2
servers are hindering the rollout of new optional TLS extensions. ]
Ian, how is that stopping people from using encryption?
Correct me if I am wrong, but it means that the
virtual hosts capability in newer versions
Ka-Ping Yee wrote:
On Mon, 18 Apr 2005, Ian G wrote:
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means the best available.
Michelen stars would be a perfect
Nigel McFarlane wrote:
[long post]
Indeed. My sense of the problem is below. Please
correct where I got it wrong.
There are two worlds, the web and the disk. The
assumption is that the web is untrusted and the
disk is trusted **.
Anything that is stored on the disk is thought to
be secure,
Gervase Markham wrote:
Ian G wrote:
That would be incomplete :) What you should say is that
Gervase thinks GeoTrust certs are not suitable for commerce!
If you want to be like that, then the correct text is:
If you put your CC number into here and get ripped off, there's no
possible way you
Gervase Markham wrote:
Ian G wrote:
I'd say 40 bit is good enough for banking, and 128 bit
is good enough for banks :-) As the TLS people have now
added a 256 bit protocol suite, they no doubt think that
only 256 should be used by banks...
I think you may have missed my point, which
Gervase Markham wrote:
...I'm saying that we
need to assess certs according to how likely it is that we can trace the
cert back to a real individual, not as to how the data required for such
tracing was gathered.
OK, the answer to that is reasonably likely if
the person doesn't care, and
Gervase Markham wrote:
Ian G wrote:
OK, I'll accept that. So your message for the good certs is what?
If you put your CC number into here and get ripped off,
it might be possible for you to find the guy who did it.
Just about. As a consumer, I'd be happier with that than Hey, if you
Gervase Markham wrote:
Of course, we might be able to make it work by reducing the number of
CAs to (say) 8...
The market works all this out. There will be some
settling. In each country there will be like 1-3
big national brands. Then there will be the globals,
the Intels of certification,
Nelson B wrote:
Ian G wrote:
(OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping
people elsewhere using crypto.
What are you talking about?
This one:
Nelson B wrote:
Julien Pierre wrote:
There is a TLS extension called server name indication. It is
currently not implemented by NSS
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE, if
they need to visit the site a lot. Personally, I didn't used to think
to contact a website if there was a problem. I just ignored it or went
to another website or spoofed my user agent or something.
Putting
Duane wrote:
Ian G wrote:
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE,
if they need to visit the site a lot. Personally, I didn't used to
think to contact a website if there was a problem. I just ignored it
or went to another website or spoofed my user agent
Gervase Markham wrote:
[EMAIL PROTECTED] wrote:
So we created a new type of automated
certificate that focuses on proof of domain control in real time
combined with real time email and telephone validation and
sophisticated fraud-detection algorithms.
I'd be interestd in hearing more about the
Gervase Markham wrote:
Ian G wrote:
Why are you requiring that of GeoTrust? What happens
if they don't provide that service?
Then the browser UI I write doesn't mark their certs as suitable for
commerce :-)
That would be incomplete :) What you should say is that
Gervase thinks GeoTrust
Jean-Marc Desperrier wrote:
Ian G wrote:
http://www.ebcvg.com/articles.php?id=673
Mozilla: The Honeymoon is over
Well, this time it's the analysis by the expert who's selling
antivirus/http filters.
Unfortunately, many will fail to his incredibly specious assessments
about the recent
Duane wrote:
Peter Gutmann wrote:
You may as well name 'em since it's fairly well known, it's Verisign (yes, the
Actually another one, so that makes 2 of them (at least)...
Duane,
Either you are working for some company and you have
a conflict of interest that stops you doing security
work. Or
http://www.techworld.com/security/news/index.cfm?NewsID=3468
SSL 'security' aiding online fraud
http://www.ebcvg.com/articles.php?id=673
Mozilla: The Honeymoon is over
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
Duane wrote:
Ian G wrote:
http://www.techworld.com/security/news/index.cfm?NewsID=3468
SSL 'security' aiding online fraud
Considering the experts giving these claims are trying to sell more
expensive certs, I'm going to take it with a grain of salt until more
attacks hitting my inbox really do
Ka-Ping Yee wrote:
This is further evidence that we cannot rely on CAs to maintain
clear uniqueness of certificates, and that we must enable users
to establish trust relationships without having to depend on CAs.
Certainly, relying on the CAs to maintain any
uniqueness amongst the entire set is a
Ian G wrote:
I've just upgraded my Firefox to 1.0.2 and this time
the FreeBSD version handles plugins, so I installed
both of them. Unfortunately petname doesn't appear.
OK, Ping just fixed me up there, it had to be dragged
from the pallete. Now it's sitting there and I have
petnamed two of my
Frank Hecker wrote:
Gervase Markham wrote:
...and there's a white paper which goes into more depth.
http://geotrust.com/resources/white_papers/pdfs/SSLVulnerabilityWPcds.pdf
Hey Ian, they read your blog :-) See the footnote to page 11 (page 13
in the PDF).
Indeed, I just got to that part
Ram A M wrote:
If one wanted to achieve a useful distinction, then I suggest warning
when an SSL v2
protocol site is struck, as at least then a real issue is being
addressed.
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in
Jean-Marc Desperrier wrote:
I'm surprised nobody has said until now that there's already such a
warning dialog for 40 bit crypto (at least in the suite, maybe FF
removed it).
I don't believe 512 RSA keys trigger it, though.
512 bit keys are a lot stronger than 40 bit, they are
more like about
Gervase Markham wrote:
Ian G wrote:
Why not just put the number of crypto bits on the status
bar, next to the site name, CA name and padlock?
I'm surprised at you, Ian. I would have thought the reason was obvious :-)
It could be blindingly obvious to others ... but it's
not to me!
In Opera
Gervase Markham wrote:
Ian G wrote:
It could be blindingly obvious to others ... but it's
not to me!
Because 99.99% of users will have no idea what the numbers are, nor will
they have any ability to make sensible decisions based on them.
Well, they are generally in a much better position
to make
Julien Pierre wrote:
Hmm, ok, well I suppose that's true as an assumption,
and looking at Account / Settings ... the cert that
is now selected to sign for this email address is
*not* for this email address. This may explain why
it didn't in the end sign for this email ;-)
File a bug on the UI -
Julien Pierre wrote:
Thus, for individual users' self-signed certs to work, everybody would
need to blindly trust everybody else's individual cert. I don't see how
you expect that to actually be workable.
I'd just consider it a step better than unprotected
email. It's what you get for free,
J. Wren Hunt wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Ian G wrote:
| So now I have to figure out how to find a cert for
| this email address. Now given that it took like
| 10 minutes of clicking around by an expert in the
| CA's business to do with the one cert I've got, I'm
J. Wren Hunt wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Ian G wrote:
|
| Right, but considering that this is *email*
| and CAs are simply some optional extra to do
| with commercial users (and we saw what they
| want) then when it comes to *email* there is
| no need to bash anyone's
Financial Cryptography Update: Digitally-Signed Mail in e-Commerce - FC05
survey
March 25, 2005
http://www.financialcryptography.com/mt/archives/000414.html
J. Wren Hunt wrote:
Ian G wrote:
|
|snip I recently installed a good cert into my Thunderbird and I
| still cannot send out signed or encrypted email using S/MIME (I forget
| why).
|
Are you being facetious here?
Nope, I tried to get it going a couple of weeks
ago, and the interface has too many
Hi Julien,
Julien Pierre wrote:
Ian,
Ian G wrote:
For encryption, just now I tried again, and I
may have figured out the problem: it requires
me to select a certificate, which wasn't
obvious the first time I went through the various
dialogues; it should just automatically select
the one cert
Ian G wrote:
Hmm, ok, well I suppose that's true as an assumption,
and looking at Account / Settings ... the cert that
is now selected to sign for this email address is
*not* for this email address. This may explain why
it didn't in the end sign for this email ;-)
Well, I just tried it from
Gervase Markham wrote:
Ian G wrote:
Solving password loss is a big issue, support departments
put this as one of their biggest problems. So addressing
it at the browser is probably worthwhile.
I'm not quite sure what you mean by solving password loss. Are you
suggesting this feature will help
Frank Hecker wrote:
Ian G wrote:
Nelson B wrote:
Having bought his first cert from CA X, if he ever buys a cert
from CA Y instead, all his users will be alarmed. This gives
CA X opporunity to charge ever higher prices for cert renewals.
In practice this would be the case, if the users
decided
Gervase Markham wrote:
Ram A M wrote:
Showing the name of the company may. Showing
firstbankofsomewhere.sometld is not as reliable as showing First
Bank of Somewhere as the organization name.
I note your example includes a geographical location; not many business
names do. How many First Banks
Original Message
Subject: Re: $90 for high assurance _versus_ $349 for low assurance
Date: 16 Mar 2005 23:17:59 -
From: John Levine [EMAIL PROTECTED]
Organization: I.E.C.C., Trumansburg NY USA
To: cryptography@metzdowd.com
CC: [EMAIL PROTECTED]
John, thanks for this
Nelson B wrote:
Ram0502 wrote:
Ian G wrote:
This is something that Julien brought up and Amir
addressed by setting the border at the CA. As the
user identifies a particular CA as good, the security
app module accepts any cert from that CA.
Nice practical solution.
Except that it creates
Benjamin D. Smedberg wrote:
Gervase Markham wrote:
The chances of this sort of change to the address bar are near-zero.
But have you seen the new domain indicator in Firefox 1.0 and above?
What new domain indicator?
In Firefox 1.0, when the SSL connection is established
without any problems,
Again, I think Nelson brings up points better off
transferred to the wider forum rather than within
the narrow context of the bug.
[EMAIL PROTECTED] wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=286107
--- Additional Comments From [EMAIL PROTECTED] 2005-03-16 13:33 PST ---
Above, I
Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit
in the cert store as something to hang cert revocation off? If you want
to be in the high assurance store, you have to have a working OCSP
server defined in your certs, or something like that?
That
Nelson just posted a bug comment, but I think the
response and discussion of the points he raised
are too broad for that bug, so I'll move them here,
if nobody minds.
I have two points to make here - the reality of
the CA trust decision, and the goal.
[EMAIL PROTECTED] wrote:
Ram A M wrote:
I think there is value in the concept but it has a major failing from a
usability perspective that falls out of data center operational
practices. How many webservers do you think a big bank has? Some folks
use SSL accelerators in front of their web-server or app-server farm,
some
Nate wrote:
...and it occurs to me yet once again, that one big reason for the
proliferation of spam, spyware, viruses and on and on ad nauseum is
that the bad guys hardly ever suffer any punishment. It's like
burglars being allowed to try as many doors as they want to.
Yup. And, no matter how
Gervase Markham wrote:
Er... which paper?
The link was at the bottom, here it is again:
http://www.ischool.washington.edu/networksecurity/Articles/Web_Security.pdf
And if still keen, read this one:
http://www.ischool.washington.edu/networksecurity/Articles/Risks_Harms_Web.pdf
Also, while we are on
assurance _versus_ $349 for low assurance
Date: Sun, 13 Mar 2005 19:15:13 -0500
From: R.A. Hettinga [EMAIL PROTECTED]
To: Ian G [EMAIL PROTECTED], cryptography@metzdowd.com
CC: John Gilmore [EMAIL PROTECTED], mozilla-security@mozilla.org
References: [EMAIL PROTECTED] [EMAIL PROTECTED]
At 9:24 PM + 3
J. Greenlees wrote:
why not add the ability to permantently reject a certificate?
such as a cert from an advertising comany?
( for some reason I get a cert error for a cert from www.ad-space.net )
Why would an advertising company use a cert?
the cert itself is fine, the issuing authority is one
OK, sounds like fun :) Following are some MINOR comments
that hopefully would improve the proposal ... I'll post
my two MAJOR comments under separate cover.
iang
Frank Hecker wrote:
Prompted by some comments by Gerv Markham, the following is an strawman
proposal for changing the Firefox UI
Duane wrote:
Ian G wrote:
Right, another obstacle. If all countries had hard ID like
some of the Europeans had, *and* this was an international
standard like the US wants with passports, then this might
help.
A lot of people in Australia and other countries never get passports...
I've also
In the below, John posted a handy dandy table of cert prices, and
Nelson postulated that we need to separate high assurance from low
assurance. Leaving aside the technical question of how the user
gets to see that for now, note how godaddy charges $90 for their
high assurance and Verisign charges
Gervase Markham wrote:
Michael Roitzsch wrote:
If I understand things correctly, you want to have the browser
maintain a sort of whitelist of domains the user trusts. Whenever the
browser encounters a new SSL domain, the user is asked, if she wants
to include it in the list of trusted domains.
Gervase Markham wrote:
Idea off the top of my head - please tell me why it won't work.
Could we parse all form submissions over unencrypted channels and put up
an alert (You _really_ don't want to do this!) if any of the fields
was a sixteen-digit number which passed the credit-card-number
Gervase Markham wrote:
Ian G wrote:
Yup. Go through their logs, pull out all the URLs that
are cached there, and run them through the hash.
Er... if the URLs are available in plain text in their logs (I
presume you mean history), then there's no need for them to reverse
the hash. They can
Gervase Markham wrote:
HJ wrote:
You can hash a particular domain and say has the user visited
https://www.foo.com?; (which is the question the browser needs to
know to do the new site indicator). But you can't say give me a
list of all the domains they visited.
In a perfect world maybe, but
Ka-Ping Yee wrote:
How does a user know that Paypal GmbH or Paypal Ltd is not the same as
Paypal, Inc, without being able to compare the two? Company names are
not global.
It depends on the CA's policies. It would be nice to have a
trustworthy CA tell me that i'm dealing with the company
HJ wrote:
Nelson B wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
First of all, i've just updated my screenshot:
Jean-Marc Desperrier wrote:
Ian G wrote:
[...]
OK, that's good to know that there is no number
involved. That just leaves us with determining
what information *is* in this cert, and how it is
that it needs to be presented to the user, and
what the legal and contractual ramifications of
all
Opera Battles Spoofing in Latest Beta Release
February 25, 2005
By Matt Hicks
Responding to the rise of a spoofing flaw in Web browsers, Opera
Software ASA has released a second beta release of its next browser with
extra security features.
The newest Opera beta, made available on Friday,
Jean-Marc Desperrier wrote:
Ian, I have not much time now, but the hungarian cert in question is
*not* using the monetary limit extension, only the extension to say it
is a qualified certificate, which consists just of an OID and is
therefore easy to parse.
OK, that's good to know that there
Gervase Markham wrote:
Ian G wrote:
What happens if IangInsidiousIssues sells
certs with the crit in it saying $100,000 but
inside the crit text, there is a caveat saying
that the limit only applies if spent in my
shop buying my goods?
There's crit text too? It's not just a monetary value
J. Greenlees wrote:
3. Consider these three cases:
(a) Unencrypted connection.
(b) SSL connection with a self-signed certificate.
(c) SSL connection with a certificate signed by a known CA.
Of these three options, (a) is the riskiest context in which
to submit an HTML form; (b) and
hi Ping,
I have a different perspective on the Shmoo thing, below.
Ka-Ping Yee wrote:
When i asked what happened, i meant that i'd like to know the story
of how IDN support got added to Firefox in the first place. (Sorry i
wasn't so clear.) Were security folks aware that it was being added?
Did
1 - 100 of 126 matches
Mail list logo