Bruce, I think you missed my point here: Nomatter how secure the client's browser is, or even if he uses a custom made Client Access Program (believe me, the banks in Denmark used that approach at first because browsers weren't secure enough), it still doesn't change the fact that there may be other factors that cause the transmission to be insecure. A packet sniffer doesn't have to in any way be connected to the browser or other program used to access your server. And if the program used is made correctly (as in, not IE), you won't be able to detect whatever's running outside that program from the server side. And packet sniffers already exist in the majority of computers: firewalls, anti-virus, and network traffic monitors. They all do, or can, read the contents of the network packets going in and out of the computer. I have numerous versions of those, some of them will let me actually see the contents of each and every network packet ... Packet sniffers exist that'll let you monitor the network traffic on a remote computer, without even have access to that computer (one of my friends did it to me just to show how easy it is). So even if your server could see that the program your client uses is as secure as can be, there isn't any way possible that you'll be able to see if the connection between you and the client is tapped or not... My bank in Denmark use custom encryption plugins for the browser because the built-in encryption system isn't good enough. Their system is based upon HTML websites only because it's more comfortable to use, but without their custom plugin and the digital key I have to install to make it work, the online banking website is completely inaccessible. Their system don't even use normal cookies because it'd leave footprints on your computer. But it still doesn't change the fact that it still communicates through normal HTTP and TCP commands, and that the packets are still readable, although encrypted... Rene Documented research indicate that on Wed, 22 Jun 2005 06:00:48 -0700, "bruce" wrote: > rene... > > the scenario that i'm envisioning could very well cause people to get > ticked. but i also can easily see financial institutions starting to tell > their customers, that unless your system is of a certain level, or running a > certain kind of browser, that you'll get charged more to do business with > them... > > security is an issue, and it's going to get larger. and that will require > thinking about the user/client's setup.. > > if i as a bank, refuse to allow you to signin to my server, because i detect > that your client is not valid/legitimate, meaning i think it's been hacked, > how have i trampled the rights of anyone. i haven't. will some customers > run, sure.. perhaps.. will i potentially feel better. yeah. will i > potentially have something that i can promote as an extra level of security > that others don't have, maybe.. > > let people continue to read/hear about massive losses of data and see what > happens... > > rene, you also have to understand, i'm not trying to determine if the user's > entire system is 'clean/valid'. i'd settle for a way of knowing that the > browser/client that i'm talking to is legitimate!! > > -bruce > -- Rene Brehmer aka Metalbunny We have nothing to fear from free speech and free information on the Internet, but pop-up advertising! http://metalbunny.net/ My little mess of things... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
