ID "theft" -- so what?
Perry E. Metzger
perry at piermont.com
Thu Jul 14 12:54:21 EDT 2005
Ian Grigg <iang at systemics.com> writes:
>> This is not a "new realization" -- this goes back a long way.
>
> OK, so maybe this part is the new realisation:
No, it isn't a new realization either, Ian. We all knew from nearly
the start that the model we were using in browsers was wrong. I don't
know anyone who defends it. Netscape threw SSL together in a hurry --
so much of a hurry that the first version of the protocol wasn't even
any good -- and threw a bunch of certs right into the browser to
bootstrap it, and no one has particularly liked the situation ever
since.
That doesn't mean that people are interested in throwing the baby out
with the bathwater, either, as you have in suggesting that people
should just send credit card numbers in the clear because passive
interception is (you have claimed) not an issue.
> Too many words? OK, here's the short version
> of why phising occurs:
>
> "Browsers implement SSL+PKI and SSL+PKI is
> secure so we don't need to worry about it."
I am unaware of real security professionals who hold that opinion or
ever held it, or even a variation on it. Perhaps there are a handful
out there, but it isn't the majority.
Again, you are telling people what they already know.
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list