15 Sep
2003
15 Sep
'03
9:25 p.m.
It's bad enough now; it could be even worse. They could respond on port 443, too, with a legitimate-seeming certificate -- they're *Verisign*, the leading certficate authority. In the security world, we call this a man- (or monkey-)in-the-middle attack, for which the standard defense is crypto. But that doesn't work well when your trusted third party is part of the threat model... --Steve Bellovin, http://www.research.att.com/~smb