On Mon, Jun 06, 2005 at 07:36:04AM -0700, bruce wrote: > and matt.. now you see the issue that i've been dealing with... > my bad for not clarifying it earlier.. the ssl aspect helps, but it still > doesn't get to the issue of allowing someone to 'know' or be extremely > certain, that the site they're on, is the 'right' site for the url that > they're trying to obtain... I think it'd help a lot if you'd clarify exactly who you're trying to help, here. All visitors to a general-interest web site? Your customers? All employees of a business, or other members of your own organization? > on a similar tip. if you lose your password.. what's a secure way to get the > password. the current method (of course) is to send you a new password via > email.. assuming that you know your username. but given the fact that email > is text, and could easily be sniffed, is there another/better way.. (and > let's not get into public/private encryption!!) The method you describe is one of the poorer current methods. A slightly better one sends a hashed URL to the e-mail on record, and if you then go to that site, you can set a new password. Still somewhat weak, but at least the actual password isn't going in plain text -- and presumably, if someone else changes your password by intercepting the mail, you'll at least know about it. [ps: it'd make this conversation go easier if you could not top post -- thanks!] -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> Current office temperature: 80 degrees Fahrenheit.
