Who's afraid of Mallory Wolf?
Anne & Lynn Wheeler
lynn at garlic.com
Tue Mar 25 17:32:00 EST 2003
At 12:09 PM 3/25/2003 -0800, bear wrote:
>ISP's don't want to support encrypted links
>because it raises their CPU costs. And mail
>clients generally aren't intelligently designed
>to handle encrypted email which the mail servers
>could just "pass through without decrypting and
>encrypting".
circa '95 .... there were comments that ISP's didn't want to verify
from/spoofed packet addresses on DHCP modem connections because it
increased their router cpu costs (actually one of the most common routers
didn't have enuf processor power to implement even trivial packet filtering
on modem lines).
http://www.garlic.com/~lynn/2001m.html#27 Internet like city w/o traffic
rules, traffic signs, traffic lights and traffic enforcement
http://www.garlic.com/~lynn/2001m.html#28 Internet like city w/o traffic
rules, traffic signs, traffic lights and traffic enforcement
http://www.garlic.com/~lynn/2001m.html#29 Internet like city w/o traffic
rules, traffic signs, traffic lights and traffic enforcement
http://www.garlic.com/~lynn/2001m.html#30 Internet like city w/o traffic
rules, traffic signs, traffic lights and traffic enforcement
http://www.garlic.com/~lynn/2001m.html#31 Internet like city w/o traffic
rules, traffic signs, traffic lights and traffic enforcement
now there is the observation in this thread (or the previous thread) that
many websites use SSL very sparingly because it cuts their web traffic
capacity by 80-90 percent (http vis-a-vis https given the same hardware).
Typical sequence is that person clicks-on/types something and goes to a
site with straight HTTP, they shop for a while ... until they are ready to
check-out, they then click on the "check-out" button. That button supplies
a URL that sends them off to a HTTPS site (aka the user didn't actually
originated the HTTPS url) ... where all the payment information is
provided. Now since the client/consumer never provided the actual HTTPS
sequence .... but it was provided for them by a webpage at the HTTP site
they were shopping at .... it is presumably trivial for the HTTP site that
they are shopping at to make sure that the HTTPS URL domain that clients
are sent to .... matches the certificate domain at that site (and a lot of
shopping URLs have a lot of appended history so that it is relatively
easily contrived that the consumer doesn't notice the domain name of the
"check-out/payment" page).
A lot of the requirement for encryption is end-to-end ... or at least
VPN-like .... so encrypted packets should mostly be transparent to
operations in their ISP roles. This isn't as true on the web-hosting side
of the house ... where SSL or similar encryption activity can represent
significant additional CPU processing load.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list