Re: Must we authenticate login forms (using SSL?)?

[mike03051 () yahoo com]

Amir,

Thank you for the response and clarification. As to whether I am a security expert, it depends on whether in your 
opinion a security expert is made through certification. If so, neither you nor I would qualify as neither of us 
appears to flaunt any security certifications.

I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both phishing and MITM 
attacks. An attacker can always use a bank’s name url, as for example, citibank.ny02110.biz will work. All the attacker 
needs to do is acquire a certificate for their site and they will be able to host an SSL site.

Since we agree on this point of fact, I find the entire HOS listing pointless and misleading. It is your choice as to 
what you wish to do with it. Leave it up if you fell like it.

I do believe that TrustBar offers many advantages for a user who chooses to download it. Whether it can read the 
certificate or not is probably not one of its major strengths as citibank.ny02110.biz is maybe just not enough 
information for a user.

I do want to thank you for the insight into your tool and the explanation of the HOS reasoning.

Mike