[14652] in cryptography@c2.net mail archive
Re: WYTM?
daemon@ATHENA.MIT.EDU (Jon Snader)
Wed Oct 15 14:32:42 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 14 Oct 2003 08:43:19 -0400
From: Jon Snader <jsnader@ix.netcom.com>
To: cryptography@metzdowd.com
Mail-Followup-To: Jon Snader <jsnader@ix.netcom.com>,
cryptography@metzdowd.com
In-Reply-To: <3F8B2BFA.64526D69@systemics.com>
On Mon, Oct 13, 2003 at 06:49:30PM -0400, Ian Grigg wrote:
> Yet others say "to be sure we are talking
> to the merchant." Sorry, that's not a good
> answer either because in my email box today
> there are about 10 different attacks on the
> secure sites that I care about. And mostly,
> they don't care about ... certs. But they
> care enough to keep doing it. Why is that?
>
I don't understand this. Let's suppose, for the
sake of argument, that MitM is impossible. It's
still trivially easy to make a fake site and harvest
sensitive information. If we assume (perhaps erroneously)
that all but the most naive user will check that they
are talking to a ``secure site'' before they type in
that credit card number, doesn't the cert provide assurance
that you're talking to whom you think you are?
If the argument is that Verisign and the others don't do
enough checking before issuing the cert, I don't see
how that somehow means that SSL is flawed.
jcs
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
