[13586] in cryptography@c2.net mail archive
Re: The real problem that https has conspicuously failed to fix
daemon@ATHENA.MIT.EDU (Jeffrey I. Schiller)
Wed Jun 11 16:58:02 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Jun 2003 16:11:59 -0400
From: "Jeffrey I. Schiller" <jis@mit.edu>
To: Pete Chown <Pete.Chown@skygate.co.uk>
Cc: cryptography@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD2303F53384E31F8C27919CB
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Oh, and btw, the form posting URL in my message wasn't even https, it
was just http. So all the futzing in the world with https wouldn't help!
-Jeff
Pete Chown wrote:
> John R. Levine wrote:
>
>> Crypto lets someone say "Hi! I absolutely definitely
>> have a name somewhat like the name of a large familiar organization,
>> and I'd like to steal your data!" ...
>
>
> It might help if browsers displayed some details of the certificate
> without being asked. For example, instead of a padlock, the browser
> could have an SSL toolbar. This would show the verified name and
> address of the site you are connected to.
>
> The bar could also show the server name for unverified connections. This
> would avoid the attacks that use URLs like
> http://www.microsoft.com:officesupport@virus.com .
>
--------------enigD2303F53384E31F8C27919CB
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+540P8CBzV/QUlSsRAl1aAJ0SifuuWDD9opQSinxlfIlUyM0koQCeKB8L
Wu9nRx8lEhuZyjAQNG3bPYI=
=HIyh
-----END PGP SIGNATURE-----
--------------enigD2303F53384E31F8C27919CB--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
