Maybe It's Snake Oil All the Way Down
James A. Donald
jamesd at echeque.com
Wed Jun 4 22:09:31 EDT 2003
--
James A. Donald
> > > > Or to say the same thing in different words -- why
> > > > can't HTTPS be more like SSH? Why are we seeing a
> > > > snow storm of scam mails trying to get us to login to
> > > > e-g0ld.com?
Eric Rescorla
> > > Because HTTPS is designed to let you talk to people
> > > you've never talked before, which is an inherently harder
> > > problem than allowing you to talk to people you have.
James A. Donald:
> > In attempting to solve the hard problem, it fails to make
> > provision for solving the easy problem.
Eric Rescorla
> Nonsense. One can simply cache the certificate, exactly as
> one does with SSH. In fact, Mozilla at least does exactly
> this if you tell it to. The reason that this is uncommon is
> because the environments where HTTPS is used are generally
> spontaneous and therefore certificate caching is less useful.
Certificate caching is not the problem that needs solving. The
problem is all this spam attempting to fool people into logging
in to fake BofA websites and fake e-gold websites, to steal
their passwords or credit card numbers
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
/UOLlqGTeq9SAB5W/aJJuwULFBNMCVzKJnIRlhES
48E3I0Yo+68OTvTwztxirTXc41yFVicJtskuBB/dU
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list