Re: Spoofing as the postmaster

From: Andrew Sullivan <ajs(at)crankycanuck(dot)ca>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Spoofing as the postmaster
Date: 2007-12-28 15:26:31
Message-ID: 20071228152631.GA15128@crankycanuck.ca
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, Dec 29, 2007 at 02:09:23AM +1100, Naz Gassiep wrote:
> In the web world, it is the client's responsibility to ensure that they
> check the SSL cert and don't do their banking at
> www.bankofamerica.hax0r.ru and there is nothing that the real banking
> site can do to stop them using their malware infested PC to connect to
> the phishing site.

The above security model is exactly how we got into the mess we're in:
relying entirely on the good sense of a wide community of users is how
compromises happen. Strong authentication authenticates both ways.

For instance, the web world you describe is not the only one. Banks who
take security seriously have multiple levels of authentication, have trained
their users how to do this, and regularly provide scan tools to clients in
an attempt (IMO possibly doomed) to reduce the chances of input-device
sniffing.

A

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Trevor Talbot 2007-12-28 15:48:22 Re: Spoofing as the postmaster
Previous Message Naz Gassiep 2007-12-28 15:09:23 Re: Spoofing as the postmaster