matt.. i was referring to the issue of anything sent via email that's not encrypted is 'weak'.. if you send a hashed passwd/data via email, along with a url for the user to link to, you're still in the same situation you have now.. some one could spoof your email and send it, changing the url... it's obvious that i'm only interested in this problem/solution as it pertains to sites that require you to login (user/passwd) because the site has something of value... these are also the sites with the $$$ for a reasonable/good solution! -bruce -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Matthew Miller Sent: Monday, June 06, 2005 8:02 AM To: For users of Fedora Core releases Subject: Re: how can you verify that the site you get is not a fake? On Mon, Jun 06, 2005 at 07:36:04AM -0700, bruce wrote: > and matt.. now you see the issue that i've been dealing with... > my bad for not clarifying it earlier.. the ssl aspect helps, but it still > doesn't get to the issue of allowing someone to 'know' or be extremely > certain, that the site they're on, is the 'right' site for the url that > they're trying to obtain... I think it'd help a lot if you'd clarify exactly who you're trying to help, here. All visitors to a general-interest web site? Your customers? All employees of a business, or other members of your own organization? > on a similar tip. if you lose your password.. what's a secure way to get the > password. the current method (of course) is to send you a new password via > email.. assuming that you know your username. but given the fact that email > is text, and could easily be sniffed, is there another/better way.. (and > let's not get into public/private encryption!!) The method you describe is one of the poorer current methods. A slightly better one sends a hashed URL to the e-mail on record, and if you then go to that site, you can set a new password. Still somewhat weak, but at least the actual password isn't going in plain text -- and presumably, if someone else changes your password by intercepting the mail, you'll at least know about it. [ps: it'd make this conversation go easier if you could not top post -- thanks!] -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> Current office temperature: 80 degrees Fahrenheit. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
