On 6/6/05, Matthew Miller <mattdm@xxxxxxxxxx> wrote: > On Mon, Jun 06, 2005 at 06:05:58AM -0700, bruce wrote: > > but you still haven't addressed my problem/issue/question... > > and that's how do i as a user (not an app) know that this is the right > > site for the url i entered... my fear is that a malicious site, could > > simply fake the information he's providing, to 'look' like the actual/real > > site... > > and as of yet.. i can't craft a solution to this issue... > > You could trust us that it's very hard to fake the SSL information, and then > you could inspect that. (Double click on the little lock icon.) You'll see > something like: > > Web Site Identity Verified > > The web site www.bu.edu supports authentication for the page you are > viewing. The identity of this web site has been verified by Thawte > Consulting cc, a certificate authority you trust for this purpose. > > > In the Firefox advanced preferences, you can manage which certificate > authorities you trust. Nah! That's not enough... many web browsers are vulnerable to cross-site scripting code. I've seen some real proof-of-concept web sites that, by using a main frame protected via HTTP/S and a valid SSL certificate, where vulnerable to cross-site scripting-like attacks that were able to insert fake pages into a subframe without the web browser even alerting about it. SSL is very good, but poor implementations of web browsers, protocols, and the end-user itself make it far from the perfect solution. So the answer is: you really can't be sure 100% the site you're seeing is really the site you're expecting to see. To alleviate the problem, always enter the URL manually on your web browser, check the SSL certificate, the CA that signed the SSL certificate and the IP address of the target machine.
