[2597] in cryptography@c2.net mail archive
Re: safety of SSL 2?
daemon@ATHENA.MIT.EDU (John R Levine)
Tue Apr 28 16:36:58 1998
Date: Tue, 28 Apr 1998 14:58:11 -0400 (EDT)
From: John R Levine <johnl@iecc.com>
To: Eric Young <eay@cryptsoft.com>
cc: cryptography@c2.net
In-Reply-To: <Pine.GSO.3.96.980428152819.24873H-100000@pandora.cryptsoft.com>
> www.amazon.com still only accept SSLv2 (and a broken implementation at that).
> It is all a mater of risk managament. When the posible costs are very low,
> they will not upgrade.
Quite right. I have yet to hear any reports of credit cards or other payment
information being stolen in transit over the net, and a lot of credit card
info goes via unencrypted HTTP and e-mail, so this looks like a low-level
threat in practice.
According to some stats I heard at a conference last week, 27% of web users
have bought something over the net, and 2/3 of those buyers sent their
payment info via HTTP. The other 1/3 called, faxed, or sent e-mail,
suggesting that the FUD factor is high but the risk isn't.
But I also heard that the amount of net-based fraud is quite large, to the
point where Citibank is quite illegally telling their customers that you
can't contest a net-based charge, but it's real world problems like goods not
being delivered or subscriptions not being cancelled which don't sound to me
like problems that crypto is going to solve short of a much more complex
handshake for payments than people are likely to tolerate. (After all,
they're not even interested in FV's three-way e-mail.)
One place where SSL might help is that it does verify that a site is who they
say they are, but IP spoofing is hard enough that I don't see that as being a
big problem any time soon, either.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
