The real problem that https has conspicuously failed to fix

James A. Donald jamesd at echeque.com
Tue Jun 10 15:32:55 EDT 2003 

    --
 James A. Donald:
> > I keep posting "you cannot do this using https", and people 
> > keep replying "yes you can"

On 10 Jun 2003 at 1:52, John R. Levine wrote:
> I think there's two separate problems here.  One is domain 
> squatting. I've seen lots of phishes from domains like 
> paypal-confirm.com (which is registered to someone in 
> Pakistan.)  It is truly pitiful that with all of the 
> anti-squatting nonsense involved with ICANN and their UDRP,  
> and despite the cases cases we've read about with trademark 
> owners suing everyone who registers "bigcorp-sucks.com", 
> people still register deliberately confusing domain names in 
> bad faith for fraudulent purposes and get away with it.

The example I posted did not rely on a misleading name, though 
most such scams do, and a misleading name greatly facilitates 
such scams.

> The other issue, as someone else noted, is that html, like 
> just about everything else on the net, wasn't designed to be 
> secure and unless you're going to go reading the source code 
> of every form you use, you can't tell where your information 
> is going.

If https made it possible to log on to a site without sending  
the site a shared secret, that would help, because then end  
users would be surprised and suspicious on being asked to send 
a shared secret.

And when I say "possible" I do not mean "possible if you send a 
hundred dollars per customer to verisign and your administrator 
spends an hour talking face to face with each customer and  
fiddling with each customer's computer",

> I can't see that either of those issues can be addressed by  
> cryptography

The problem is shared secrets.  Abolish shared secrets, nothing 
for the scam sites to steal.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     rx/Z2qIPQ5/w2m19Glalp9TuC97A9A0sAFlrm0JN
     4o44QKfLOBAAqjFsl04PeQ/0B05CLW3gCaS/b7lWq


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list