On Tue, Sep 09, 2003 at 12:29:34PM -0700, Jean-Michel besnard <[EMAIL PROTECTED]> wrote: > On Tue, Sep 09, 2003 at 09:00:28PM +0200, Joerg Rossdeutscher wrote: > > Am So, 2003-09-07 um 23.44 schrieb Colin Watson: > > > On Sun, Sep 07, 2003 at 09:46:02PM +0200, Joerg Rossdeutscher wrote: > > > > Am So, 2003-09-07 um 21.11 schrieb Mario Vukelic: > > > > > You probably don't even get security fixes fo NS 4 anymore! > > > > > > > > Uninteresting, since one would use NS4 only with the bank's site. They > > > > don't need to hack me. They own everything I have... :-) > > > > > > Whoa, sure it's interesting. Consider a man-in-the-middle SSL attack: > > > now somebody else owns everything you have. > > You can not really mount a man-in-the-middle attack if the bank's > certificate (and therefore the public key contained in it) has been > signed by a trusted entity (eg, a CA).
There have been bugs that caused the checking for such a trusted CA not to work properly. And, of course, people have often got used to dismissing obscure prompts about these certificate things ... Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
