[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL certificates

Andrew Suffield wrote:

> <>Nobody steals credit card numbers by capturing traffic from you to the
> server. It's difficult and ineffective and slow, even if the session
> isn't encrypted. They crack the server and steal hundreds of thousands
> at once.

I hope no one here is moronic enough to have credit card numbers on
their servers! To have a transaction record, I would just store
MD5(credit_card_number + expiration_date + transaction_dtime +

The point of SSL is that it becomes more "difficult" to obtain numbers.
But it is basically the end-user, especially the somewhat computer-aware
person, that thinks SSL == secure server. There is enough crap about
that on vendor's sites. All of them keep hammering away about their
"secure servers".

But my point was more subtle. I meant to hint that if someone cannot
afford a public certificate from a CA, then they should not be accepting
credit cards anyway. The cost of the latter surpass the costs of the former.

>This was *precisely* the example Schneier gave in crypto-gram. SSL
>just does not matter, so it's not really a big deal that it isn't
>really secure.
It matters a little bit, but not too much. It is still simpler to just
grep the network for /5191\\d{12}/ if the credit card number are in the

- Adam

PS. There is also a downside to SSL - increased complexity. The server
actually becomes *less* secure after you enable SSL on public services.

Building your applications one byte at a time

Reply to: