On Fri, 2008-07-25 at 13:32 -0500, Les Mikesell wrote: > Björn Persson wrote: > > > >> If you are really paranoid (or about to do large transactions on what > >> you hope is your banking site), you could do a 'whois' lookup for the > >> target domain to find their own name servers and send a query directly > >> there for the target site. > > > > Check that the domain name in the address bar is right, that you're using > > HTTPS, and that the bank's certificate has been verified correctly. Then > > you're safe, unless the attacker has *also* managed to trick one of the > > certification authorities into issuing a false certificate, or somehow > > sneaked a false CA certificate into your browser. > > You aren't paranoid enough. What if the spoofer is also a system > administrator at the bank with access to a copy of the real certificate > that he installs on the machine he's tricked your dns into reaching - > with the expected name that you'll still see. Exactly. I've made the decision to surf the Internet using only a sketch pad and sticks of medium charcoal for the next several months, until this is all resolved. Last time something like this happened my cousin caught a trojan that got into is toaster. It later grew and arm and stabbed him in the eye. It was a big joke for a while (http://xkcd.com/293/) and eventually attained urban myth status. But all myths have their basis in reality and I was there for this one. Remember, just because you're paranoid, doesn't mean your not in dire need if immediate assistance from a mental health professional. [sheesh] Andy -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
