An attack on paypal
James A. Donald
jamesd at echeque.com
Tue Jun 10 15:31:41 PDT 2003
--
On 8 Jun 2003 at 20:00, Anne & Lynn Wheeler wrote:
> that is why we coined the term merchant "comfort"
> certificates some time ago. my wife and I having done early
> work for payment gateway with small client/server startup in
> menlo park ... that had this thing called SSL/HTTPS ... and
> then having to perform due diligence on the major issuers of
> certificates .... we recognized 1) vulnerabilities in the
> certificate process and 2) information hiding of transaction
> in flight only addressed a very small portion of the
> vulnerabilities and exploits.
https is like a strong fortress wall that only goes half way
around the fortress.
The most expensive and inconvenient part of https, getting
certificates from verisign, is fairly useless.
The useful part of https is that it has stopped password
sniffing from networks, but the PKI part, where the server, but
not the client, is supposedly authenticated, does not do much
good.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
9ZQw+0/xh1y28CkGulSQSVxewfy71qzXGHI8KJbN
4osBv1veq07jaMVh2zVetZVKqIRfQjiwJaKu99GqM
More information about the cypherpunks-legacy
mailing list