WYTM?
Jon Snader
jsnader at ix.netcom.com
Tue Oct 14 08:43:19 EDT 2003
On Mon, Oct 13, 2003 at 06:49:30PM -0400, Ian Grigg wrote:
> Yet others say "to be sure we are talking
> to the merchant." Sorry, that's not a good
> answer either because in my email box today
> there are about 10 different attacks on the
> secure sites that I care about. And mostly,
> they don't care about ... certs. But they
> care enough to keep doing it. Why is that?
>
I don't understand this. Let's suppose, for the
sake of argument, that MitM is impossible. It's
still trivially easy to make a fake site and harvest
sensitive information. If we assume (perhaps erroneously)
that all but the most naive user will check that they
are talking to a ``secure site'' before they type in
that credit card number, doesn't the cert provide assurance
that you're talking to whom you think you are?
If the argument is that Verisign and the others don't do
enough checking before issuing the cert, I don't see
how that somehow means that SSL is flawed.
jcs
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list