[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, May 2, 2013 at 11:16 AM, Brad Rogers wrote: >>users', for whom this kind of thing could indeed be a problem, should >>never have to accept a certificate anyway. > > Maybe not, but that means blindly accepting *all* certs as valid. > That's unwise, at best. It is. But which program are you talking about? In most cases certificates should 'just work', without any user intervention. Someone should be able to change their certificate daily, or use five certificates in parallel and it will still "just work".* They definitely won't have to accept anything, let alone everything, as valid. * I think. It may be that there are separate security checks against such anomalies. > I've only seen evidence of random accounts used for spamming rather > than attacks targeted at specific accounts. I know of several cases where specific accounts were hacked, either of well-known people or of people with access to 'valuable information'. They used social engineering against the user, or against the account recovery mechanism at the provider. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq