On Sun, Jun 05, 2005 at 09:26:17PM -0700, bruce wrote: > ssl certs don't allow you, the user to know if you're at the right site!! > unless it's not possible to fake the information returned by the server to > the client. i suspect that the information stream is easily faked... Since it uses reasonably strong cryptography, no, it's not too easy to do that. > my question.. how do you know that paypal.com.. ia actually paypal.com > (paypal), and not a carefuly crafted fake! How do you "know" anything? It all comes down to levels of trust. An SSL certificate signed by a known authority is pretty good -- I don't know of any cases where that's been subverted. -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> Current office temperature: 80 degrees Fahrenheit.
