[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Thanks for the link. Here's my (bad) LYNX (SSL) result:
|
From: |
David Woolley |
|
Subject: |
Re: lynx-dev Thanks for the link. Here's my (bad) LYNX (SSL) result: |
|
Date: |
Tue, 23 Oct 2001 07:10:29 +0100 (BST) |
Matt wrote:
>
> On Mon, 22 Oct 2001, David Combs wrote:
> >
> > The browser you are using does not meet Wells Fargo's stringent
> > security standards. This means that you will not be able to bank
> ....
>
> which is a load of crap.
I believe some builds have inadequate random number generators - I think
only those that make use of an OS kernel random number generator may be
safe in that respect. In addition, there has been no independent security
audit on the code, and as the above indicates, simply including OpenSSL
does not guarantee security - both Netscape and Microsoft have produced
insecure encryption using strong encryption libraries in the past.
There is also not very tight version control, so a security validation for
one version doesn't guarantee the security of other versions.
There is at least someone to sue and with a reputation to defend when you
use a commercial product, even if they have been naive about encryption
in the past.
At the very best, I would say that anyone faking the user agent string in
this context would have to bear all the financial consequences of a breach
of security or any other failure that could possible be due to a breach
of security, and, at worst, their actions might be considered fraudulent,
because of the faked user agent string. IANAL, but I would advise
consulting one before faking a user agent string to get round encryption
authorisation rules.
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden