Quote:
|
Originally Posted by zottel
I took a short look at this thread, and if I get it right, what's proposed there is turning off the validity checking for SSL certificates—which doesn't really sound like a good idea, IMHO. That means that your communication will still be encrypted, but you can't be sure that the site you are connected to is really the one it claims to be.
Ok, it's rather complicated to use this vulnerability for an attack. There'd be DNS spoofing involved, so the attacker would have to have access to a DNS server you use, or to the DNS server that holds the information about the spoofed-as site, or to your own /etc/hosts file. But it's a risk I wouldn't take, at least when online banking is involved.
What was the error you got when it didn't work? In the thread you linked to, someone said sth about a hostname mismatch—the certificate was issued for another hostname than the one he was actually connected to. I recently saw that the Apple Keychain shows this error even if there is only a case mismatch in the certificate—e.g. if the certificate was issued for www.MySpace.com, but the server identifies itself as www.myspace.com.
Wasn't there a thread here some time ago about OW turning all hostnames into lowercase to make URL spoofing harder? (Like using a capital i as an L—the host www.googie.com with the i capitalied— www.googIe.com—will look like www.google.com (GOOGLE, not GOOGIE) in most sansserif fonts.) Might that be the source of the problem? |
You raise many important concerns here--ones that I was wondering about myself. If I go to sites already bookmarked, however, won't that be safe? In other words, as long as I don't click on links provided elsewhere, it should be safe, no?
I would be interested in figuring out why this suddenly occurred. Others using Safari experienced the same problem. But thus far no OW users have posted here about the issue.
Thanks.