I'm thinking they need a "Send Lawyers" button to the right of "Ask mafia to attack"
Or "Create Restraining Order"
Actually, there is already an "Injunction" boost in Mafia wars, which confers +25 fight defense skills. You can get it by revaulting the "Ties" collection.
She told me that very few people bother questioning the word of a bank employee when they call up!!!
But how were you supposed to know that she was indeed a bank employee?
Did her number at least show up in caller-id? Did it match the bank's prefix? And how fraudproof is caller-id btw? I know a place that allows you to send SMS "from" any number that you pick, even if it isn't officially managed by them... So maybe the same is possible with caller-id.
You don't check the links, you don't use them at all. Instead, you access the site through a bookmark, or via typing in the URL manually if you no longer have a bookmark. It's all too easy to confuse an l with an I or a 1. Or rn and m depending on what font you have. Or the attacker might play similar tricks using exotic characters that you do not even know to exist (How similar is a greek capital Rho to a capital P?).
This is actually an excellent example, especially since it is the recipient (web site) which signs the padlocked boxes. This makes it much closer to the real https (where web sites are certified, and generally not clients) than mine with the "fancy envelopes". Also, it addresses the case where the interloper does not care whether his attack has been detected after the fact.
"talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).
It's not about the security of your communication partner, but about security of the communication medium.
Try "passing notes in a classroom":
"notes written on small sheets of paper": somebody of the people on the way to your target could read the note as well.
"notes sealed in plane jane white envelopes": more secure, but somebody en route could open the envelope, read the note, and stuffed it into a new envelope.
"notes sealed in fancy, hard to find envelopes": most secure, as the interceptor will not have the correct envelope to put the note into.
Nowhere does the trustworthiness of the final target enter into play, only the trustworthiness of those students that pass the message on (i.e. the communications medium).
So, who can sniff your traffic, who doesn't already own the network you're traveling through?
Some attacks on switches (ARP spoofing, ARP table flooding) would allow passive spying, but no reliable interception. This is because such an attack duplicates switch traffic to both the intended target and the attacker. If the attacker intercepted, rather than just passively listed, it might become obvious that the client is suddenly getting to replies to each packet, and it might start acting strange (dropping connections, etc.)
Also, some physical taps (picking up the elecromagnetic fields outside of a cable using a pick-up solenoid) allow to listen, but not modify communication.
Also, passive listening is easier to set up (basically, just a tcpdump...) whereas active interception is more complicated (a proxy)
Or if you think that would be too annoying, any form that includes a password field?
Exactly! And even better: have a user-maintainable white list of sites that have an unencrypted password field (so that you aren't bothered with noisy warnings whenever you log in to your favorite low-security chat site).
In order to avoid attacks against redirection, key the white list on both the form submission URL and the last URL entered by the user (through address bar or bookmark).
The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know.
It not only confirms to you that you are connect to a site that you don't know, but to this particular site that you don't know. Which means that if something untowards happen, you now know that site a little bit better:-)
But can I trust the site I'm connected to?
This is a common misunderstanding about the purpose of certificates. Certificates don't help you trust the entities that you are doing business with. They only help you trust that you are talking to who you think your are talking.
A certification agencies job is not to assess the financial solidity of a bank, or the honesty of an online shop. Their only job is to make sure that only that bank, or that shop can get a certificate saying that it is indeed that particular bank or that particular shop.
A certificate confirms that you are indeed connected to aShadyDatingSiteThatIJustDiscovered.com rather than to your spying spouse.
Unfortunately those newfangled EV certificates confuse the issue about purpose of certificates...
O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.
The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...
Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,
Mine shows a very short blue bar.
all browsers show a "lock" symbol
Yes, a small lock icon in the lower right corner.
most people I know expect them in banks other important websites.
So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.
Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.
The whole "encryption = authentication" idea is stupid and wrong.
Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...
The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.
Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
So, in all logic the warnings should even be more scary for the plain unencrypted http case.
Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...
Slashdot Mirror
So we could be called "Colondotters?" No thanks.
As in "the red dot at the end of the colon"? Bring it on!
Makeshift double-ended dildo? Or do they ban cucumbers, bananas, carrots, sausages from female prisons?
I'm thinking they need a "Send Lawyers" button to the right of "Ask mafia to attack"
Or "Create Restraining Order"
Actually, there is already an "Injunction" boost in Mafia wars, which confers +25 fight defense skills. You can get it by revaulting the "Ties" collection.
If women had any sense, they'd rather prefer to swallow a banana than a spider...
Do spiders make as big a mess as gerbils when things go wrong?
Not if you wear tight-fitting jeans.
Rorschach Clouds. Seriously.
I look at that picture and all I see are breasts. Mmmmmmmmmmmmm... Boobie Clouds.
And here are some clouds that swing the other way
Is there any need for that safe=off in your query string?
Yes. Or else it would miss the best site
you clearly have too much time on your "hands".
Sorry for this, I forgot to "douche". Just consider it as natural lube...
And more here
And while you're at it, also add this puppy
make sure you finish drinking your coffee before you check your email.
... and conversely, check your email before you start drinking your beer...
She told me that very few people bother questioning the word of a bank employee when they call up!!!
But how were you supposed to know that she was indeed a bank employee?
Did her number at least show up in caller-id? Did it match the bank's prefix? And how fraudproof is caller-id btw? I know a place that allows you to send SMS "from" any number that you pick, even if it isn't officially managed by them... So maybe the same is possible with caller-id.
checked the links
You don't check the links, you don't use them at all. Instead, you access the site through a bookmark, or via typing in the URL manually if you no longer have a bookmark. It's all too easy to confuse an l with an I or a 1. Or rn and m depending on what font you have. Or the attacker might play similar tricks using exotic characters that you do not even know to exist (How similar is a greek capital Rho to a capital P?).
with a couple of scantily-clad "analysts",
Think of the straight hackers! Supply some scantily-clad "vaginalists" as well :-)
If I was asked to write an essay on such a topic, my answer would be:
I was a nigger.
... and that micro-essay would even qualify. After all the 500-word limit is a maximum, not a minimum...
Do I need to have Javascript enabled to hear voices and piano on slashdot?
No, for that you need flash.
Thanks.
"talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).
It's not about the security of your communication partner, but about security of the communication medium.
Try "passing notes in a classroom":
Nowhere does the trustworthiness of the final target enter into play, only the trustworthiness of those students that pass the message on (i.e. the communications medium).
So, who can sniff your traffic, who doesn't already own the network you're traveling through?
Some attacks on switches (ARP spoofing, ARP table flooding) would allow passive spying, but no reliable interception. This is because such an attack duplicates switch traffic to both the intended target and the attacker. If the attacker intercepted, rather than just passively listed, it might become obvious that the client is suddenly getting to replies to each packet, and it might start acting strange (dropping connections, etc.)
Also, some physical taps (picking up the elecromagnetic fields outside of a cable using a pick-up solenoid) allow to listen, but not modify communication.
Also, passive listening is easier to set up (basically, just a tcpdump...) whereas active interception is more complicated (a proxy)
Or if you think that would be too annoying, any form that includes a password field?
Exactly! And even better: have a user-maintainable white list of sites that have an unencrypted password field (so that you aren't bothered with noisy warnings whenever you log in to your favorite low-security chat site).
In order to avoid attacks against redirection, key the white list on both the form submission URL and the last URL entered by the user (through address bar or bookmark).
The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know.
It not only confirms to you that you are connect to a site that you don't know, but to this particular site that you don't know. Which means that if something untowards happen, you now know that site a little bit better :-)
But can I trust the site I'm connected to?
This is a common misunderstanding about the purpose of certificates. Certificates don't help you trust the entities that you are doing business with. They only help you trust that you are talking to who you think your are talking.
A certification agencies job is not to assess the financial solidity of a bank, or the honesty of an online shop. Their only job is to make sure that only that bank, or that shop can get a certificate saying that it is indeed that particular bank or that particular shop.
A certificate confirms that you are indeed connected to aShadyDatingSiteThatIJustDiscovered.com rather than to your spying spouse.
Unfortunately those newfangled EV certificates confuse the issue about purpose of certificates...
The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...
Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,
Mine shows a very short blue bar.
all browsers show a "lock" symbol
Yes, a small lock icon in the lower right corner.
most people I know expect them in banks other important websites.
So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.
Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.
The whole "encryption = authentication" idea is stupid and wrong.
Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...
The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.
Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
So, in all logic the warnings should even be more scary for the plain unencrypted http case.
Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...