Problem with site certificate
clifford_ilkay at dinamis.com
Tue Dec 2 23:12:30 UTC 2008
> On Tue, 2 Dec 2008, Sambit Bikas Pal wrote:
>> authenticity of the trader. Otherwise it completely spoils the purpose
>> of having an encrypted connection. Any malicious third party can claim
> You're sort of correct, it defeats the purpose of having a verified
> connection, the encryption is fine if on a local server for say a CRM
> portal to prevent snooping, besides a lot of people are not prepared to
> pay the exrtive rates some of the previously mentioned services want to
>> to be someone else, issue a self certificate and pose as the original
>> trader, thereby fooling the customer. This is a typical example of
>> man-in-the-middle attack. So inform your bank about this issue.
> True, and I'd expect a bank of all places to use a trusted signer, not
> like they cant afford it.
It is a debatable point how much one can really trust these "trusted"
certificate authorities. The "web of trust" model that PGP uses, for
example, is probably more trustworthy than a central CA that does very
little about verifying the identity of the applicant. I recall someone
who had nothing to do with microsoft.com managed to purchase a
commercial certificate a few years ago just to prove that it could be
done. I have to wonder how many sites out there with "legitimate"
certificates are really bogus but we don't really want to think of that,
do we? Of course if you can manage to subvert DNS, all bets are off anyway.
1419-3266 Yonge St.
Canada M4N 3P6
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3273 bytes
Desc: S/MIME Cryptographic Signature
More information about the ubuntu-users