The real problem that https has conspicuously failed to fix
James A. Donald
jamesd at echeque.com
Tue Jun 10 15:32:55 EDT 2003
--
James A. Donald:
> > I keep posting "you cannot do this using https", and people
> > keep replying "yes you can"
On 10 Jun 2003 at 1:52, John R. Levine wrote:
> I think there's two separate problems here. One is domain
> squatting. I've seen lots of phishes from domains like
> paypal-confirm.com (which is registered to someone in
> Pakistan.) It is truly pitiful that with all of the
> anti-squatting nonsense involved with ICANN and their UDRP,
> and despite the cases cases we've read about with trademark
> owners suing everyone who registers "bigcorp-sucks.com",
> people still register deliberately confusing domain names in
> bad faith for fraudulent purposes and get away with it.
The example I posted did not rely on a misleading name, though
most such scams do, and a misleading name greatly facilitates
such scams.
> The other issue, as someone else noted, is that html, like
> just about everything else on the net, wasn't designed to be
> secure and unless you're going to go reading the source code
> of every form you use, you can't tell where your information
> is going.
If https made it possible to log on to a site without sending
the site a shared secret, that would help, because then end
users would be surprised and suspicious on being asked to send
a shared secret.
And when I say "possible" I do not mean "possible if you send a
hundred dollars per customer to verisign and your administrator
spends an hour talking face to face with each customer and
fiddling with each customer's computer",
> I can't see that either of those issues can be addressed by
> cryptography
The problem is shared secrets. Abolish shared secrets, nothing
for the scam sites to steal.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
rx/Z2qIPQ5/w2m19Glalp9TuC97A9A0sAFlrm0JN
4o44QKfLOBAAqjFsl04PeQ/0B05CLW3gCaS/b7lWq
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list