Web Page Certificates

I have been wondering how I can be sure, when more than one person uses
a computer, if the web page certificates are authentic or not. How do
I know that someone else didn't accept a bogus certificate?

Thank!

teabox

"teabox" <> writes:

> I have been wondering how I can be sure, when more than one person uses
> a computer, if the web page certificates are authentic or not. How do
> I know that someone else didn't accept a bogus certificate?

What operating system? What web browser? Do you have a separate
account on that computer that no one else has access to?

Also, it bears mentioning the obvious that just because a given web
site has an SSL certificate, and you're seeing one that is attributed
to them, doesn't mean your activities are safe and secure and that the
information you provide them won't be cracked by other means.

--
Todd H.
http://www.toddh.net/

Todd H.

Todd H. wrote:
> "teabox" <> writes:
>
> > I have been wondering how I can be sure, when more than one person uses
> > a computer, if the web page certificates are authentic or not. How do
> > I know that someone else didn't accept a bogus certificate?
>
> What operating system? What web browser? Do you have a separate
> account on that computer that no one else has access to?
>
>
> --
> Todd H.
> http://www.toddh.net/

Todd,

Thanks for you reply.

I am using Windows XP, SP2. Firefox 2.01 and Internet Explorer 6.

My computer at work does not have separate accounts, but even if I set
one up others could certainly use the account from time to time.

> Also, it bears mentioning the obvious that just because a given web
> site has an SSL certificate, and you're seeing one that is attributed
> to them, doesn't mean your activities are safe and secure and that the
> information you provide them won't be cracked by other means.

What other means are you thinking about? I am aware of key loggers and
traffic sniffing via programs like Cain and Abel(Cain uses fake SSL
certificates).

I am quite new to this. I am beginning to wonder if using a public
computer is safe at all. Regardless, I am interesting in understanding
how I can keep my private stuff private!

Thanks,

TB

teabox

"teabox" <> writes:

> Todd H. wrote:
> > "teabox" <> writes:
> >
> > > I have been wondering how I can be sure, when more than one person uses
> > > a computer, if the web page certificates are authentic or not. How do
> > > I know that someone else didn't accept a bogus certificate?
> >
> > What operating system? What web browser? Do you have a separate
> > account on that computer that no one else has access to?
> >
> >
> > --
> > Todd H.
> > http://www.toddh.net/
>
> Todd,
>
> Thanks for you reply.
>
> I am using Windows XP, SP2. Firefox 2.01 and Internet Explorer 6.
>
> My computer at work does not have separate accounts, but even if I set
> one up others could certainly use the account from time to time.
>
> > Also, it bears mentioning the obvious that just because a given web
> > site has an SSL certificate, and you're seeing one that is attributed
> > to them, doesn't mean your activities are safe and secure and that the
> > information you provide them won't be cracked by other means.
>
> What other means are you thinking about? I am aware of key loggers and
> traffic sniffing via programs like Cain and Abel(Cain uses fake SSL
> certificates).

Exactly. Keyloggers for one.

Then, the actual websites you visit can be prone to attack
themselves.

Man in the middle SSL attacks are possible as well, and not all
require intervention.

> I am quite new to this. I am beginning to wonder if using a public
> computer is safe at all.

It is not. Maybe if you boot your own OS, but even then there could
be a hardware key logger installed. You never know.

> Regardless, I am interesting in understanding how I can keep my
> private stuff private!

You'll want to start by not using public computers, I'm afraid.

--
Todd H.
http://www.toddh.net/

Todd H.