When encryption is also authentication...

Ian Grigg iang at systemics.com
Thu May 30 05:34:49 PDT 2002 

> SSL for commerce is readily in place without batting an eyelid these days.

Costs are still way too high.  This won't change until
browsers are shipped that treat self-signed certs as being
valid.  Unfortunately, browser manufacturers believe in
cert-ware for a variety of non-security reasons.

Hopefully, one day the independant browser manufacturers
will ship browsers that show a different icon for self-
certs, rather than annoy the user with mindless security
warnings.  Then, we can expect a massive increase in
secure browsing as sites start defaulting to self-signed
certs, and a consequent massive increase in security, as
well as a follow-on massive increase in the sale of certs.

Unfortunately, we probably won't see an enhanced market
for CA certs until Verisign goes broke.

> However, I'd be interested to know just how many users out there would enter
> their card details on an unprotected site, despite the unclosed padlocks
> and the
> alert boxes.

Huge numbers of them.  You won't see it in security
lists, but most of your average people out there do
not understand the significance of the padlock, and
when merchants request credit card numbers, they
quietly forget to tell them.

And, in a lot of cases, credit card details are
shipped over cleartext email rather than browsers.
Many of these merchants have card-holder-present
agreements, the restrictions of which, they just
ignore.  Commerce being what commerce is, it is
more important to get the sale than deal with some
obscure security nonsense that doesn't make sense.

> Have security fears and paranoia been abated by widespread crypto
> to the point whereby users will happily transmit private data, whether
> encrypted
> or nay, just because they *perceive* the threat to now be minimal? Now that the
> media has grown tired of yet-another-credit-card-hack story?

Much of today's body of (OECD) net users don't read
the news about the net and don't understand the debate,
nor can they make sense of how to protect themselves
from a site that is hacked...

Three or four years back, much of the body of the
net was still technically advanced and capable of
understanding the fallacious security arguments.

These days, perversely, the users are better able
to evaluate the security risks, because they don't
understand the arguments, so they look to the
actual experience, which provides no warnings.

> Pointers to any evidence/research into this much appreciated... ta.

Unfortunately, real data is being kept back by the
credit card majors.  It is my contention that there
has never been a case of sniffed-credit-card-abuse,
and nobody I've ever talked to in the credit card
world has ever been able to change that.

On the whole, all net-related credit card fraud is
to do with other factors:  mass thefts from hacked
databases, fraudulent merchant gatherings, fear-of-
wife revocations, etc.  Nothing, ever, to do with
on-the-wire security.

-- 
iang

More information about the cypherpunks-legacy mailing list