The real problem that https has conspicuously failed to fix
Jeffrey I. Schiller
jis at mit.edu
Wed Jun 11 16:11:59 EDT 2003
Oh, and btw, the form posting URL in my message wasn't even https, it
was just http. So all the futzing in the world with https wouldn't help!
-Jeff
Pete Chown wrote:
> John R. Levine wrote:
>
>> Crypto lets someone say "Hi! I absolutely definitely
>> have a name somewhat like the name of a large familiar organization,
>> and I'd like to steal your data!" ...
>
>
> It might help if browsers displayed some details of the certificate
> without being asked. For example, instead of a padlock, the browser
> could have an SSL toolbar. This would show the verified name and
> address of the site you are connected to.
>
> The bar could also show the server name for unverified connections. This
> would avoid the attacks that use URLs like
> http://www.microsoft.com:officesupport@virus.com .
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030611/49edc0a8/attachment.pgp>
More information about the cryptography
mailing list