Open versus closed PKI systems
Nicholas Bohm
nbohm at ernest.net
Thu, 17 May 2001 18:16:38 +0100
At 17:40 17/05/2001 +0100, Ben Laurie wrote:
>Nicholas Bohm wrote:
>> By now the cognoscenti know that if others get hold of their credit card
>> details (and interception of the session is far from the most likely
>> source), the resulting risk is to merchants, not customers.
>
>But is that because it is well known that everyone uses SSL for
>collecting such details, and hence little effort is put into
>interception.
>
>I'm sure that at many hosting facilities there is _plenty_ of
>opportunity for sniffing the machines around you, if there were any
>point to doing so.
You may be right about little effort being put into interception, but I
suspect SSL is only part of the reason; the other part surely being that
insecurity at the point where the details are held is widespread, and that
details are much more conveniently harvestable from a database than a
datastream: there is lower-hanging fruit elsewhere, even if interception
were easier than it is.
And this doesn't of course affect my point that customers are at risk of no
more than some inconvenience if their details go astray (which may of
course be why they're so unconcerned at parting with their cards in
restaurants).
Regards
Nicholas
Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK
Phone 01279 871272 (+44 1279 871272)
Fax 01279 870215 (+44 1279 870215)
Mobile 07715 419728 (+44 7715 419728)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF