On Mon, 2005-06-06 at 09:36, bruce wrote: > and matt.. now you see the issue that i've been dealing with... > > my bad for not clarifying it earlier.. the ssl aspect helps, but it still > doesn't get to the issue of allowing someone to 'know' or be extremely > certain, that the site they're on, is the 'right' site for the url that > they're trying to obtain... In theory, when using https, your browser should alert you if the site does not have the certificate issued by a trusted authority for that domain name - unless you previously chose to accept the certificate that they do have. In practice, people can be fooled by making the visible part of a link (both in the linking page and with some tricks, in the browser location window) say what you expect but in fact have a URL going to a different site. Or they may just click the 'accept' popup and go on anyway. > on a similar tip. if you lose your password.. what's a secure way to get the > password. the current method (of course) is to send you a new password via > email.. assuming that you know your username. but given the fact that email > is text, and could easily be sniffed, is there another/better way.. (and > let's not get into public/private encryption!!) > > any ideas/thoughts... Most places let you change your own password online though an https connection, so if you have a password sent by email, then quickly change it yourself, you can limit your exposure. Also, you can use the ssl variations of pop or imap to avoid sniffing on your side of the link and if you don't trust your ISP you should look for a different one. -- Les Mikesell lesmikesell@xxxxxxxxx
