Bill Stewart, ever the realist, despite the futility of rational thought in confronting today's world, wrote:
At 01:54 AM 4/11/97 -0500, ARTURO GRAPA YSUNZA
wrote: See http://www.Microsoft.com/security/ under "Credit Card Security Concerns and Microsoft's Response" for Microsoft's response on the SSL GET/POST weakness. ¿Any opinions?
I was highly unimpressed with Microsoft's Response: "It's Not A Security Flaw" "But Everybody Important Works Around It" "And we're fixing it in the next release" without providing much detail about what's going on. It does indicate what to look into to avoid it when writing web pages, but it doesn't say how to avoid it when entering your credit card number into a web page, or what to look for as a non-programmer user.
Bill seems to be one of the few people to realize that tips and tricks for experienced programmers does nothing at all for the common user, who has no way of discerning which of the programs and sites that they access are indeed compensating for a system which contains a plethora of basic faults. When facing a firing squad, there is little comfort in knowing that only one or two of the rifles contain real bullets. Pardon me for suggesting that the average user will realize that he need not volunteer to face the firing squad if he doesn't want to. The 10,000 people who enter their credit card number at a web page prompt won't be on the nightly news. The guy or gal whose life was ruined when they did so, will be. Does anyone care to estimate what percentage of the 10,000 who didn't get totally screwed will think twice before using their credit card on the web again? -- Toto "The Xenix Chainsaw Massacre" http://bureau42.base.org/public/xenix/xenbody.html