On 08/13/2010 02:12 PM, Jon Callas wrote:
What on earth happened?  Was there a change in banking regulations in the last
few months?

Possibly it's related to PCI DSS and other work that BITS has been doing. Also, 
if one major player cleans up their act and sings about how cool they are, then 
that can cause the ice to break.

Another possibility is that a number of people in financials have been able to 
get security funding despite the banking disasters because the risk managers 
know that the last thing they need is a security brouhaha while they are 
partially owned by government and thus voters.

I bet on synergies between both.

If I were a CSO at a bank, I might encourage a colleague to make a presentation 
about how their security cleanups position them to get an advantage at getting 
out from under the thumb of the feds over their competitors. Then I would make 
sure the finance guys got a leaked copy.


the original requirement for SSL deployment was that it was on from the 
original URL entered by the user. The drop-back to using SSL for only small 
subset ... was based on computational load caused by SSL cryptography .... in 
the online merchant scenario, it cut thruput by 90-95%; alternative to handle 
the online merchant scenario for total user interaction would have required 
increasing the number of servers by factor of 10-20.

One possibility is that the institution has increased the server capacity ... 
and/or added specific hardware to handle the cryptographic load.

A lot of banking websites are not RYO (roll-your-own), internally developed ... 
but stuff they by from vendor and/or have the website wholly outsourced.

Also some number of large institutions have their websites outsourced to 
vendors with large replicated sites at multiple places in the world ... and 
users interaction gets redirected to the closest server farm. I've noticed this 
periodically when the server farm domain name and/or server farm SSL 
certificate bleeds thru ... because of some sort of configuration and/or 
operational problems (rather than seeing the institution SSL certificate that I 
thot I was talking to).

Another possibility is that the vendor product that they may be using for the 
website and/or the outsourcer that is being used ... has somehow been upgraded 
(software &/or hardware).

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to