"SSL stops credit card sniffing" is a correlation/causality myth

Ian G iang at systemics.com
Thu Jun 2 08:58:40 EDT 2005 

On Thursday 02 June 2005 11:33, Birger Tödtmann wrote:
> Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G:
> [...]
>
> > For an example of the latter, look at Netcraft.  This is
> > quite serious - they are putting out a tool that totally
> > bypasses PKI/SSL in securing browsing.  Is it insecure?
> > Yes of course, and "it leaks my data like a seive" as
> > one PKI guy said.
>
> [...]
>
> What I currently fail see is the link to SSL.  Or, to its PKI model.

That's the point.  There is no link to SSL or PKI.
The only thing in common is the objective - to
protect the user when browsing.  Secure browsing
is now being offered by centralised database sans
crypto.

> Netcraft bypasses it, but I won't use Netcraft exclusively because I'm
> happy to use the crypto in SSL.  Netcraft and Trustbar are really nice
> add-ons to improve my security *with SSL*.  So where is the point?

Sure, I think it is a piece of junk, myself.  But I
am not important, I'm not an "average user."
The only thing that is important is what the user
thinks and does.

When Netcraft announced their plugin had been
ported from IE to Firefox last week, they also
revealed that they had "60,000 downloads in
hours."  That tells us a few things.

Firstly, users want protection from phishing.

Secondly, Netcraft have succeeded enough
in the IE world in creating a user base for their
solution that it easily jumped across to the
Firefox userbase and scored impressive numbers
straight away.  Which tells us that it actually
delivers something useful (which may or may
not be security).  So we cannot discount that
the centralised database concept works "well
enough" by some measure or other.

So now we wait to see which model wins in
protecting the user from spoofing.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list