Norm Hardy wrote:
> It is tedious to check the cert on each URL reference (about 10 sec when
> you rember exactly how). Commonly the "name on the cert" is the domain name
> from the URL. I have seen exceptions. The danger for not checking is DNS
> spoofing that directs the URL reference to a site with a cert, but not the
> one you planned to visit. The bogus site learms the swiss nmber and the jig is
Versions of BIND 8.2 or later provide facilities that make such man-in-the-middle attacks considerably less likely. Anyone who is serious about SSL/TLS security should take measures to ensure that Secure DNS is in operation on at least one server involved in the resolution chain.
-- Please reply to <mailto:email@example.com> using PGP. My public key can be found at <http://pgpkeys.mit.edu:11371>. PGP can be found at <http://web.mit.edu/network/pgp.html>. Beginning 11/1/1999, unenciphered e-mail will be immediately deleted unread. Thank you.