Nicholas Sherlock wrote:
An attacker can use precisely the same mechanism to serve their own certificate. Your website will have carefully trained the user in advance to ignore all security warnings and accept the rogue certificate. What a waste of time. The only thing you're protecting against is a passive attacker.
"Verified by Visa" is blazing the trail in training users to give their credentials to any tom, dick and harry who asks for them under the right-looking banner. Who can compete with that? -- Nick Kew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|