Maybe It's Snake Oil All the Way Down

Bill Frantz frantz at pwpconsult.com
Wed Jun 4 17:13:22 EDT 2003


At 8:07 AM -0700 6/4/03, Sunder wrote:
>Depends on how it gets passed from the web servers to that computer.  If
>it's encrypted with a public key on the web server that only the database
>has the private half, you're safe from someone sniffing that "proprietary
>one-way interface."
>
>However, if somone's already broken into the web server, they can collect
>the cc:'s before they get sent to the secure db.
>
>So if you're an old Amazon customer and don't change your CC >BEFORE<
>someone hacks into their web server, you're safe.
>
>It's certainly better than storing all CC's on the web server.
>
>Now if those CC's are in raw text on the DB end, Amazon is up shit's creek
>if someone walks away with a db dump, backup tape, or whatever.
>
>....
>
>However, this is in a lot of ways MORE secure than handing that waiter or
>store clerk your CC.  Remember that nice yellow slip has your signature,
>CC number and expiration date on it.  Very useful for an attacker.
>Infact, they likely had physical access to the CC and have that extra 3
>digit # on the back too.
>
>...
>
>I feel safer with Amazon's use of my CC than the above, don't you?

Well, I've only ordered from Amazon 2 or 3 times since they've been in
business.  Having my CC on file gives a much longer exposure time than the
brief periods of time it would be "in transit".  So, no I don't feel much
safer.  The $50 limit on unauthorized charges is what makes me feel safer.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | Due process for all    | Periwinkle -- Consulting
(408)356-8506         | used to be the         | 16345 Englewood Ave.
frantz at pwpconsult.com | American way.          | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list