Re: SSL certificates
Andrew Suffield wrote:
> <>Nobody steals credit card numbers by capturing traffic from you to the
> server. It's difficult and ineffective and slow, even if the session
> isn't encrypted. They crack the server and steal hundreds of thousands
> at once.
I hope no one here is moronic enough to have credit card numbers on
their servers! To have a transaction record, I would just store
MD5(credit_card_number + expiration_date + transaction_dtime +
transaction_id).
The point of SSL is that it becomes more "difficult" to obtain numbers.
But it is basically the end-user, especially the somewhat computer-aware
person, that thinks SSL == secure server. There is enough crap about
that on vendor's sites. All of them keep hammering away about their
"secure servers".
But my point was more subtle. I meant to hint that if someone cannot
afford a public certificate from a CA, then they should not be accepting
credit cards anyway. The cost of the latter surpass the costs of the former.
>This was *precisely* the example Schneier gave in crypto-gram. SSL
>just does not matter, so it's not really a big deal that it isn't
>really secure.
>
>
It matters a little bit, but not too much. It is still simpler to just
grep the network for /5191\\d{12}/ if the credit card number are in the
clear.
- Adam
PS. There is also a downside to SSL - increased complexity. The server
actually becomes *less* secure after you enable SSL on public services.
--
Building your applications one byte at a time
http://www.galacticasoftware.com
Reply to: