Re: SSL certificates

To: debian-devel@lists.debian.org
Subject: Re: SSL certificates
From: Adam Majer <adamm@galacticasoftware.com>
Date: Mon, 20 Sep 2004 14:16:39 -0500
Message-id: <[🔎] 414F2C97.5040604@galacticasoftware.com>
In-reply-to: <[🔎] 20040920004137.GA23493@suffields.me.uk>
References: <[🔎] 20040918210501.GE29882@cs.helsinki.fi> <[🔎] 20040918224745.GA15879@gwolf.org> <[🔎] 20040919085424.GA2449@cs.helsinki.fi> <[🔎] 20040919154434.GB32691@dat.etsit.upm.es> <[🔎] 20040919190317.GB4041@suffields.me.uk> <[🔎] 20040919205434.GE7430@cs.helsinki.fi> <[🔎] 414E15B9.2070101@galacticasoftware.com> <[🔎] 20040920004137.GA23493@suffields.me.uk>

Andrew Suffield wrote:

> <>Nobody steals credit card numbers by capturing traffic from you to the
> server. It's difficult and ineffective and slow, even if the session
> isn't encrypted. They crack the server and steal hundreds of thousands
> at once.

I hope no one here is moronic enough to have credit card numbers on
their servers! To have a transaction record, I would just store
MD5(credit_card_number + expiration_date + transaction_dtime +
transaction_id).

The point of SSL is that it becomes more "difficult" to obtain numbers.
But it is basically the end-user, especially the somewhat computer-aware
person, that thinks SSL == secure server. There is enough crap about
that on vendor's sites. All of them keep hammering away about their
"secure servers".

But my point was more subtle. I meant to hint that if someone cannot
afford a public certificate from a CA, then they should not be accepting
credit cards anyway. The cost of the latter surpass the costs of the former.

>This was *precisely* the example Schneier gave in crypto-gram. SSL
>just does not matter, so it's not really a big deal that it isn't
>really secure.
>  
>
It matters a little bit, but not too much. It is still simpler to just
grep the network for /5191\\d{12}/ if the credit card number are in the
clear.

- Adam

PS. There is also a downside to SSL - increased complexity. The server
actually becomes *less* secure after you enable SSL on public services.

-- 
Building your applications one byte at a time
http://www.galacticasoftware.com

Reply to:

Follow-Ups:
- Re: SSL certificates
  - From: Andrew Suffield <asuffield@debian.org>

References:
- SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>
- Re: SSL certificates
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>
- Re: SSL certificates
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: SSL certificates
  - From: Andrew Suffield <asuffield@debian.org>
- Re: SSL certificates
  - From: Kai Hendry <hendry@cs.helsinki.fi>
- Re: SSL certificates
  - From: Adam Majer <adamm@galacticasoftware.com>
- Re: SSL certificates
  - From: Andrew Suffield <asuffield@debian.org>

Prev by Date: Re: Updating scanners and filters in Debian stable (3.1)
Next by Date: Re: SSL certificates
Previous by thread: Re: SSL certificates
Next by thread: Re: SSL certificates
Index(es):
- Date
- Thread