Julien Pierre wrote:
> So SSL security
plays a much more important role than you think. I know this from experience.
You have experience of someone stealing your credit card over a connection? That's something I'd like to hear about. It would be very useful to apply some statistics to the situation.
I'm hoping that Mozilla can realise this. There is an opportunity here to restart the security process that has lain dormant for a decade. And a crying need - the threats today are from spoofs/ phishing, viruses, insider robbery, database hacks, and so forth - all of which need to be addressed by a wholistic approach to security, not by worrying about this cert or that CA covering a threat that doesn't exist except in the minds of cryptography academics.
Certainly other attacks exist, but attacks on certificates are one type of attacks that is possible. I agree that indeed Mozilla should be reviewed for all types of attacks, not just crypto/certificates attacks, but not that we should ignore crypto/certificates attacks.
How much time is spent arguing about crypto/cert attacks? How much time is spent coding for phishing attacks? How many of each attack occur, and how much are people losing on each attack?
In the sector I've spent most of my time monitoring, DGCs (digital gold currencies) I've seen maybe 50 phishing attacks. One used SSL. None were protected by the CAs. Zero, zip, nada.
In fact, one DGC, a quite successful one, didn't even bother to use a CA cert. The site purchased a multi-year one about 2 years back and took over a year to install it; meantime customers had to "suffer" doing $1000 transactions over "unprotected" self-signed cert-protected SSL connections.
Everybody knew this, and nothing happened. Why?
No crook in his right mind or even his wrong mind would do an MITM. It just isn't a practical attack. That applies as much to open, cleartext connections as to SSL connections. So, what's the threat here?
It's possible to scale Everest, and has been done many times by the daft and the frigid. That doesn't mean that Nepal has to worry about a flood of refugees from that direction....
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
