Citibank discloses private information to improve security
Adam Fields
cryptography23094893 at aquick.org
Mon May 30 22:04:05 EDT 2005
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
> With bank web sites, experience has shown that only 0.3%
> of users are deterred by an invalid certificate,
> probably because very few users have any idea what a
> certificate authority is, what it does, or why they
> should care. (And if you have seen the experts debating
> what a certificate authority is and what it certifies,
> chances are that those few who think they know are
> wrong)
Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.
I've tried. They won't/can't.
> Do we have any comparable experience on SSH logins?
> Existing SSH uses tend to be geek oriented, and do not
> secure stuff that is under heavy attack. Does anyone
> have any examples of SSH securing something that was
> valuable to the user, under attack, and then the key
> changed without warning? How then did the users react?
Every time this has happened to someone I know who uses SSH, it's been
immediate cause for alarm, causing a phone call to the person who
administers the box asking "what the? did you reinstall the OS
again?".
--
- Adam
** I can fix your database problems: http://www.everylastounce.com/mysql.html **
Blog............... [ http://www.aquick.org/blog ]
Links.............. [ http://del.icio.us/fields ]
Photos............. [ http://www.aquick.org/photoblog ]
Experience......... [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list