[nSLUG] Chebucto Security

Jason Kenney jdkenney at gmail.com
Thu Jan 22 01:51:54 AST 2009


> Yay, it works. Congratulations if you read this far...

I did.  However you didn't address my basic point, which is that you
are still trusting the network not to mislead you about the true end
point(s) you are talking to.  The bank website is one, but the
certificate authority itself is another.  If the brower and its
SSL/TLS implementation can correctly flag a site as malicious when you
are talking to both a forged site, and a fake certificate authority,
then I will concede my point.  But I don't know the answer to this
question, and I didn't see it contained in your reply.  I don't see
how the browser would be able to tell though!


Jason



More information about the nSLUG mailing list