Matej Kovacic (02.01.2009 19:39): > Hi, > >> That's what it is supposed to say until you give it a name. The >> assumption is that you use out of band methods to authenticate the cert >> is correctly assigned. And then you type whatever nickname you want to >> give it into the petname field. Should the slo-tech.com cert change, >> you'll receive a red box instead of green. > > Excatly that is the problem - I cannot change "unauthenticated" to any > other string (on this site only, on PayPal I can do that). "Unauthenticated" reading in Petname tool on a HTTPS site means that not all webpage contents were transmitted over SSL, e.g. contents is security-mixed. Consider a scenario with secure site transmitting user login credentials with help of some javascript code sent over plain HTTP. If Mellory substitutes this unauthenticated javascript code, your login information could be compromised. In this case there is no practical difference would you use Petname tool or not, because not all webpage objects are safe in the first place. Usually such "mixed contents" situations originate from ad banners or some similar things. You may scrub it with Adblock Firefox extention. When there will left no HTTP-transmitted objects on HTTPS page anymore, Petname tool will work as expected. -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com
Attachment:
signature.asc
Description: OpenPGP digital signature