From: Rogan Dawes (discarddawes.za.net)
Date: Tue Jul 27 2004 - 09:22:33 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Konstantin Ryabitsev wrote:

> On Tue, 2004-07-27 at 09:55 -0400, Mark Curphey wrote:
>
>>But at that point its too late. The check for server authentication is done
>>after I have sent by username and password. This IMHO is a bad practice that
>>has started to creep into other sites including online banking.
>
>
> Not really. SSL verification is done before the HTTP headers are sent to
> the server (same reason why you can't have name-based SSL virtual
> hosting), so if there is SSL cert mismatch, your browser will alert you
> and if you cancel the connection then, the server won't see any of your
> data.
>
> In fact, presenting the login form on the SSL page won't win you
> anything, since there is no guarantee that you will submit your data to
> the same SSL-enabled server than the one that sent you the login form.

Not so. I assume that you trust the holder of the SSL cert that you
verified prior to submitting your credentials, otherwise you would not
do so ;-)

If they wanted to get your credentials, it is as easy to write an app on
their own server, as it is to modify their page to send your credentials
to a different server, and a lot less suspicious, too!

Rogan
--
Rogan Dawes

*ALL* messages to discarddawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]