"R. Hirschfeld" <[EMAIL PROTECTED]> writes: >> From: "Perry E. Metzger" <[EMAIL PROTECTED]> >> Date: Wed, 08 Jun 2005 19:01:37 -0400 > >> The other major offender are organizations (such as portions of >> Verizon) that subcontract payment systems to third parties. They are >> training their users to expect to be directed to a site they don't >> recognize to enter in their credit card information. "Really! This is >> your vendor's payment site! Pay no attention to the URL and >> certificate!" >> >> That one in particular takes amazing brains... > > For Verizon maybe, but there are plenty of Mom and Pop internet > merchants for which it is arguably more secure to do it this way. The > merchant never sees the customer's payment information and thus > needn't know how to properly protect it, and one-time shoppers may not > know/trust the merchant anyway. If the redirect is from a secure > merchant site to a secure payment provider site, and the merchant site > informs users where they will be redirected, is this so bad?
If the merchant site is secured by SSL, and prominently says that you will be redirected to a given provider, it is perhaps not so bad in theory. However, in practice, this fails the "simple rules my mom can follow" test. I'd rather that they hand a short term cert and DNS delegation to their processing partner. What I want to be able to do is tell my mom something dead simple, like "never enter your username and password or credit card information unless the web page is the one you are expecting, and it has the "lock icon" in the corner and the lock icon doesn't look like someone was faking it." Now, we face two major problems here. 1) Every complication you add on top of that means that you're training lots and lots of very naive users to do things that are potentially unsafe. Training users to expect to do unsafe things (like what Amex or what Verizon are doing) is bad, because then they won't notice in the future when they are asked to do something unsafe by a bad guy. Fidelity, to my mind, is a model of good user training. They have a set of very good web pages (see http://personal.fidelity.com/accounts/services/findanswer/content/security/minimize_risk.shtml and others) that give users excellent advice on never entering passwords in on pages that didn't arrive encrypted, never emailing personal information, etc. They allow customers to avoid ever exposing social security numbers to customer service reps, encourage users to use those services, etc. Their login page itself comes SSL encrypted. There may be other security problems they have, but encouraging users to do unsafe things isn't one of them. Now, here they (and I and others) go, trying hard to educate users about what the right thing is, and others go around forcing users to do the wrong thing just to get their day to day business done! After a while, people's defenses drop because they're being constantly trained to do the wrong thing. 2) The other issue is that the browser accepts certs from so many CAs, many of which have effectively no security. There are ways to fix this long term, but that is a whole separate discussion. -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]