On Mon, Oct 13, 2003 at 10:27:45PM -0400, Ian Grigg wrote:
> The situation is so ludicrously unbalanced, that if
> one really wanted to be serious about this issue,
> instead of dismissing certs out of hand (which would
> be the engineering approach c.f., SSH), one would
> run ADH across the net and wait to see what happened.
> Or, spit credit cards in open HTTP, and check how
> many were tried by credit card snafflers.  You might
> be waiting a long time :-)  But, that would be a
> serious way for credit card companies to measure
> whether they care one iota about certs or even
> crypto at all.

You're probably right about waiting a long time, but might that be
because trying to sniff credit card numbers is not worth it?
Not worth it because virtually everyone uses SSL when making on-line
purchases.  If everyone stopped using SSL, would we not expect to see
an increase in credit card sniffing?

Since, as you say, sniffing on the wire is harder than compromising
the end nodes, the bad guys naturally go after the low hanging
fruit, especially since a great deal of the ``interesting'' traffic
is cryptographically protected (or at least hardened).
*Of course* SSL isn't a complete security solution, but it is
effective in solving part of the problem; perhaps so well that it
makes it appear as if the problem doesn't exist.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to