[FYI] Did Encryption Empower These Terrorists?
Ben Laurie
ben at algroup.co.uk
Mon Sep 24 04:34:48 EDT 2001
lynn.wheeler at firstdata.com wrote:
> The problems, of course are 1) account numbers are essentially shared
> secrets, 2) SSL only provides for protection for numbers in flight, 3) the
> numbers at rest remain a major exploit (as per press stories regarding
> copying of account number master files at web servers) ... aka the use of
> SSL/ecryption only addressed a small portion of the problem. The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk ...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk
This is simply bad design - there should be no "account number master
file" on the web server!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list