Björn Persson wrote:
If you are really paranoid (or about to do large transactions on what
you hope is your banking site), you could do a 'whois' lookup for the
target domain to find their own name servers and send a query directly
there for the target site.
Check that the domain name in the address bar is right, that you're using
HTTPS, and that the bank's certificate has been verified correctly. Then
you're safe, unless the attacker has *also* managed to trick one of the
certification authorities into issuing a false certificate, or somehow
sneaked a false CA certificate into your browser.
You aren't paranoid enough. What if the spoofer is also a system
administrator at the bank with access to a copy of the real certificate
that he installs on the machine he's tricked your dns into reaching -
with the expected name that you'll still see.
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
