On Wednesday 18 May 2005 07:24, Nelson B wrote: > Ian G wrote: > > In practice, sites see HTTPS as a cost, and a barrier. It doesn't > > provide any protection that they *need* although this might be > > less true in the future and for big sites. > > So, you're saying they don't need encryption, they don't need > authentication, they don't need validation, and (I gather)
Actually, the sites need authentication and validation, but of their users, and this is provided by passwords and user names, primarily. It's not provided by SSL client certs but the passwords are protected from eavesdropping by SSL. If SSL were to be useful in providing client authentication, then client certs should be used on a more demand basis so that they are easily available to clients and merchants. However, their real needs are somewhat more important than that fairly minor issue. They need protection from cracking/hacking, insider fraud and fraudulent access, none of which are identified and targeted by SSL as anyone responsible for overall security in a big corp will tell you. Now, it may be said that SSL simply doesn't cover those, which is fair, but security is an overall equation, which means that unless the really big holes are covered, there is no point in worrying too much about the small holes. > they think their users don't need those things either. It's a basic starting point that sites don't give a damn what their users need. This is why Mozilla has so much potential - it might care what users need, and not care what other stake holders need. > So, why do they bother with https at all? Because of the popups. Ask them. To stop customers being punished. Give them an easier time, an extra click is well known to have a strong effect on the number of sales. > If it's so much bother, and not offering any protections they need, > why do they bother? Are they stupid? Nope, they are rational. They do it because the customers tell them that the popups drive them away. They do *not* in general do it because it adds security to their site. You must have missed the Choicepoint affair. This is a large company that aggregates all your data and sells it. It is one of a bunch. Now, understanding where Choicepoint gets its data and how it distros it and where it is stolen is *key* to understanding security. In the Choicepoint world - and Internet merchants have known this since their first year in business - there is little point in worrying about any protection that SSL affords in its current posture. Crooks aren't stupid. They don't bother to eavesdrop on open clear connections if they can walk in and lift databases. Or open an account with Choicepoint using a stolen credit card and "buy" what they want. iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
