Tarc wrote: > On Wed, Jun 21, 2006 at 10:32:21AM +0200, Maxime Henrion wrote: > > Marcin Jessa wrote: > > > On Wed, 21 Jun 2006 07:31:23 +0000 > > > John Birrell <jb_at_what-creek.com> wrote: > > > > > > > On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote: > > > > > On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote: > > > > > > The fact that a lot of innocent (naive) people don't use https > > > > > > and certificates?! > > > > > > > > > > and so they would happily click on > > > > > > > > > > <a href="http://www.666.org/gimmeyourmoney">Secure Link to > > > > > Your Bank</a> > > > > > > > > > > so we are not opening much in terms of security holes... > > > > > > > > You are making it worse because you open a new security hole: > > > > > > > > <a href="https://www.paypal.com/">www.paypal.com</a> > > > > > > > > does not take them to the _REAL_ www.paypal.com. > > > > > > > > This is not an issue about phishing where: > > > > > > > > <a href="http://some.dynamic.ip.addr/">www.paypal.com</a> > > > > > > > > makes it look like the link takes them to PayPal when it really > > > > doesn't. > > > > > > > > Most banks still don't use certificates even though they use HTTP. > > > > > > > > We need to retain the integrity of a DNS lookup. If there are any work > > > > arounds required for poor DNS lookups, then let an administrator > > > > configure them! > > > > > > Just add a global switch to enable/disable using of the ~/.hosts file > > > to i.e /etc/login.conf. > > > I personally find this feature very handy, especially on a desktop > > > with restricted access to the system. > > > > Better yet; the original author is currently working on making this a > > separate nss module. It can then be enabled/disabled at will through > > the nsswitch.conf file. > > > > I can understand the security concerns people have expressed in this > > thread, but once this functionality is available as a nss module they > > don't hold anymore. As far as I can see, noone intends to have this > > enabled by default, and it's not even clear it should be in the base. > > Having a nss_userfiles port or whatever is probably enough. > > > Yes, but the global capability must be there. Or you can say, how enable this ability (if it'll be nss port) only for several users/groups ?!! A per-user setting allowing to do what you're describing may be desirable and helpful, but it's not like it is absolutely required for this software to be usable. Such a feature can be added later if wanted. Cheers, MaximeReceived on Wed Jun 21 2006 - 07:17:05 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC