[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
tom wrote: > > Because the intercepted data means nothing If your PC is compromised data can be intercepted before it is encrypted. Key logger, or just redirect you to a fake site (you couldn't tell). Look up Spafford's armoured truck analogy. Encryption is irrelevant with compromised PCs. Current SSL ciphers are plenty strong enough for most individuals banking need (Bill Gates may feel differently), but it is is all pointless if you can't trust the PC you are using. If your PC is compromised you can for example no longer trust the list of certificate authorities. A great example of this are the antivirus tools that inspect HTTPS - you install them as a trusted certificate authority, then when visiting SSL sites they generate a temporary certificate on the fly for each site. So the site shows with a padlock, but that just means data got safely from antivirus software to your browser, doesn't tell you anything about the far end (hopefully the antivirus vendors who do this are trustworthy, and also competent, neither of which seems that likely to me). -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html