On Mon, Oct 13, 2003 at 10:27:45PM -0400, Ian Grigg wrote: > The situation is so ludicrously unbalanced, that if > one really wanted to be serious about this issue, > instead of dismissing certs out of hand (which would > be the engineering approach c.f., SSH), one would > run ADH across the net and wait to see what happened. > > Or, spit credit cards in open HTTP, and check how > many were tried by credit card snafflers. You might > be waiting a long time :-) But, that would be a > serious way for credit card companies to measure > whether they care one iota about certs or even > crypto at all. >
You're probably right about waiting a long time, but might that be because trying to sniff credit card numbers is not worth it? Not worth it because virtually everyone uses SSL when making on-line purchases. If everyone stopped using SSL, would we not expect to see an increase in credit card sniffing? Since, as you say, sniffing on the wire is harder than compromising the end nodes, the bad guys naturally go after the low hanging fruit, especially since a great deal of the ``interesting'' traffic is cryptographically protected (or at least hardened). *Of course* SSL isn't a complete security solution, but it is effective in solving part of the problem; perhaps so well that it makes it appear as if the problem doesn't exist. jcs --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
