FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » PHP mysql_excape but need to search for those items
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: PHP mysql_excape but need to search for those items [message #178413 is a reply to message #178403] Fri, 15 June 2012 20:36 Go to previous messageGo to previous message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma:
Senior Member
Jerry Stuckle, 14.06.2012 13:40:

> On 6/14/2012 2:47 AM, Arno Welzel wrote:
>> Jerry Stuckle, 12.06.2012 14:00:
[...]
>>> Setting up a proxy would mean alternations to the domain name servers
>>> data. Additionally, the certificate either would not match the domain
>>> name or the certificate would not be signed by a recognized authority
>>> (which is a good reason to use a trusted certificate).
>>
>> Nameservers can be compromised - e.g. by cache poisoning.
>>
>
> And exactly how often has that occurred? And who has the tools to do it?

To read more about: <http://www.kb.cert.org/vuls/id/800113>

Just because you can not imagine that his happens in reality does not
mean that you can ignore the problem.

I must admit that this problem is well known now for about 4 years and
hopefully anyone who's responsible for a nameserver did solve this - but
i mentioned it to show that "security" is not just "i use SSL, this i
secure".

>>> I don't know of any broken CAs in the past, but there could have been.
>>> However, the ones I use won't issue a certificate just to anyone.
>>
>> And these are?
>>
>
> Thwate, for one. Verisign for another.

VeriSign is also on the list of the CAs which had at least one security
problem:

< http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>

Of course they will never tell you about any details and of course you
shall believe that everything is perfectly fine.

And not to forget:

< http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>

"In total, 531 fraudulent certificates were issued during the DigiNotar
breach, including certificates for Google, Microsoft, MI6, the CIA, TOR,
Mossad, Skype, Twitter, Facebook, Thawte, VeriSign, and Comodo."

Do you still believe, the CA system is trustworthy?

>> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
>> already got compromised.
>>
>> Also see:
>>
>> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>>
>>
>> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>>
>>
>> The whole model of trusting CAs and not single certificates (as in SSH)
>> must be considered broken.
>
> And you have a better solution?

As i already said: Don't trust a CA, only trust (or don't trust) the
certificate. If it changes your browser will immediately tell you - even
if it was signed by a CA.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Using count() as an array index
Next Topic: can't modify include path
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 06:36:39 GMT 2024

Total time taken to generate the page: 0.05149 seconds