Ian Grigg wrote:
> So SSL security
plays a much more important role than you think. I know this from experience.
You have experience of someone stealing your credit card over a connection? That's something I'd like to hear about. It would be very useful to apply some statistics to the situation.
No, I know from experience that if you have a bogus transaction on your card in France, it's up to you to prove it, and the bank will not automatically reverse it. You have to file police reports and so on. It's very painful. I know several other people to whom it happened over there, as well. I don't know for sure how the card numbers got compromised, but through an insecure connection is a strong possibility, since retail transactions in France use smartcards, not magnetic stripes, and more than just a "number" is required to authorize any retail transaction. The number method is only used for remote transactions (mail order, internet).
I also know someone in the US who lost her credit card number over a connection. She did a non-SSL transactions (with a business that didn't have a cert) on a university network. And other students were snooping on the connection and collecting numbers.
How much time is spent arguing about crypto/cert
attacks? How much time is spent coding for phishing
attacks? How many of each attack occur, and how
much are people losing on each attack?
In the sector I've spent most of my time monitoring,
DGCs (digital gold currencies) I've seen maybe 50
phishing attacks. One used SSL. None were protected
by the CAs. Zero, zip, nada.
That shows that current SSL security with trusted CA is rarely attacked. We should not lower the value of using SSL in this model by adding random CA unaudited certs without distinction.
The entire discussion of CA certificate policy is about the SSL with trusted CA case. Any other case is irrelevant to the CA policy discussion, IMO. The other cases are relevant to browser security preferences and defaults. And I'm all for having more security warnings on by default. But it's another discussion.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
