[FYI] Did Encryption Empower These Terrorists?

Ben Laurie ben at algroup.co.uk
Tue Sep 25 05:28:37 EDT 2001


lynn.wheeler at firstdata.com wrote:
> 
> there are all sorts of shortcomings in this world. you find a "merchant"
> that buys a computer, installs some webserver software and puts it up and
> the web and expects that to handle everything.

Fine, but that was not the point you claimed to be making. You said:

> The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk ...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk

It is easy to avoid this piece of bad design, for example by
transferring asymmetrically encrypted order details to a back-end system
(via email is a popular choice).

Of course, the system is still vulnerable to trojan-style attacks (in
fact it seems to me that even this could be avoided with some cunning
client-side work - it would even be valuable to extend, say, SSL to
permit this - I wonder if it would be worth describing how this could be
done?).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list