faq  flatforty  contribute  subscribe  configure  search  rdf  main  parent	White-listing vs black-listing by Andrew Yeomans on Tuesday 22/Nov/2005, @01:25 The above improvements sound good. But can I make a further suggestion? Like many people, I have a few sites that I want complete assurance about, such as my personal banking sites. I don't want to simply trust a third-part CA to vet them, even if it is capable of providing high-assurance. As well as concerns about the business model for that CA, it still will sign a very large number of web-site certificates. If any of those web sites were compromised or the CA was tricked into signing a certificate, it opens an opportunity for the browser to say "highly trusted" when it isn't - and may even be a different web site if DNS could be compromised. And I expect it would take a long time, if possible at all, to persuade all sites to get the signed by one of the "blessed" CAs. I much prefer the model used by the Petnames extension of Firefox (http://www.waterken.com/user/PetnameTool/), which allows me to register the server digital certificate thumbprint, and to give the site a nick-name ("My bank"). If the certificate changes in any way, I'll get warned and can do the appropriate checks. Effectively I'm managing my own white-list of a handful of sites, so don't need to trust someone else's whitelist of tens of thousands; or even worse a blacklist of far more. This can co-exist with the proposals above; for example by allowing the user to store their trust relationship which then displays (say) a blue address bar. Other sites will go through the green / red / white display.	Related Links  ·   Articles on Konqueror  ·   Also by Andrew Yeomans  ·   Contact author Thread Threshold: 10 comments 20 comments 30 comments 40 comments 50 comments 60 comments 70 comments 80 comments 90 comments 100 comments 110 comments 120 comments 130 comments 140 comments 150 comments 160 comments 170 comments 180 comments 190 comments 200 comments 300 comments 400 comments 500 comments 1000 comments
	The Fine Print: The following comments are owned by whomever posted them. ( Reply ) Re: White-listing vs black-listing by kL on Tuesday 22/Nov/2005, @12:46 Certificates protect against hijacked DNS. It's a two-way authentication. [ Reply To This | View ] Re: White-listing vs black-listing by Chase Venters on Tuesday 22/Nov/2005, @14:16 Yes, they do, but this Petnames business can protect against something *else*. Say I set a Petname for amazon.com to be 'Amazon Bookstore'. Now some tricky email directs me to amafon.com, and I'm blind, so I don't see the s/z/f/. The Petname 'Amazon Bookstore' will *not* come up, making it obvious I'm not at Amazon. Note of course that there will be a nice yellow lock icon anyway, because Amafon.com has bought a security certificate certifying that they are Amafon.com. [ Reply To This | View ] The Fine Print: The previous comments are owned by whomever posted them. ( Reply )

		"Ironically, we are working on that right now!" -- Kurt Granroth
KDE®, "K Desktop Environment", "KDE Dot News", "got the dot?" and the KDE Logo® are trademarks or registered trademarks of KDE e.V. in the European Union, the United States and other countries. All other trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the poster. The rest: Copyright © 2000-2008 KDE e.V. for The KDE Project. For further information or comments on this site, please contact the Webmaster.

[ home | post article | flat forty | subscribe | search | rdf ]