----- Original Message -----
From
Raju Mathur <[EMAIL PROTECTED]> On Sunday, March 25, 2001 9:30 AM
<SNIP>
> First, some statistics:
>
> Number of credit card numbers stolen from badly/not-configured vendor
> systems:
> a few million and growing.
> </SNIP>
Security is as good as the Admin ...&& if the system is badly configured why
just credit card details ?
Everything on the server is potentially exposed.
I'm inclined to feel that security outrages is more a product of
careless/half literate people manning the systems( who might be less than 'a
few million' but 'growing'), rather than electronically exchanging sensitive
data being an unsafe medium.
<SNIP>
> So, if you want your transaction to be secure, do the following:
>
> 1. Forget about SSL. It doesn't matter. Really. If the people
> sitting on the VSNL routers are smart enough to pick up your CC number
> from your data stream, give them a large hand -- they're pretty
> low-paid anyway and they deserve it.
Actually even if the VSNL people were to pick up the data, which
is unfortunately encrypted, it would take em 13 million years( There's an
exact calculation for RSA ) to
generate the message,encrypted with128 bit session keys ;-)
> 3. telnet ip.of.vendor.system 80
> HEAD / HTTP/1.0
>
> If the response string contains ``IIS'', don't send your CC number.
</SNIP>
Unfortunately Many Indian e-commerce sites are designed with ASP, && mostly
the response string will be IIS .....
So there goes the E-commerce revolution in India....
Bye
Zen
----------------------------------------------
LIH is all for free speech. But it was created
for a purpose. Violations of the rules of
this list will result in stern action.
