swa66 - 5:37 pm on Feb 13, 2008 (gmt 0)

I agree the posts seem to confuse public available DNs servers that for some reason are
a- open
b- not responding witht eh right information

But the real problem is not there. The real problem is those client PC's getting reconfigured.

now banks should by now -come on!- use ssl. A pop=up warnign should be shown by the browser. Well The browser should stop there: no valid SSL cert, no showing of the content. Not a nice accept button that will make ist seem like the certificate is valid (it failed the only important test).

Options like "nspect the certificate" are utterly useless: human cannot validate, if the digital signature is wrong, it's final: wrong, what's still in there is pure informational only.

If we want to aloow self-signed certificates: the path forward is simple: user: please use out of band methods to get the fingerprint of the certificate. Verify youget it from the right source. and enter it here before we proceed.

With the curent attitude of browser crafters, we'll never defend against man in the middle attacks.

And nothing can defend against unreliable clients. Guess we'll need to pull out a few whips to those coding software and make them responsible (read:liable) for what they craft.