Richard Lynch wrote:

>You can create your own SSL key pair very, very, very easily...
>But unless you paid the $200 to get it from a CA, surfers will see a nasty
>(and totally inaccurate/misleading) warning about how insecure it is.

They should. To do otherwise would be inaccurate and misleading.

>The transmission is no less secure -- It's that the web-server on the other
>end was too cheap to pay the $200 for a CA key.

No, the transmission is much less secure. You cannot be guaranteed the 
identity of the Web server you're communicating with. You think just 
because the HTTP transaction is encrypted that it is secure? What if 
you're encrypted transaction is taking place with some criminal? You 
still feel secure?

>Yes, the basic model for the security of all eCommerce is:
>"You pay some large corporation $200, and they trust you."

No, you pay some large corporation money, because the majority of 
browsers currently in use trust certificates issued by that corporation. 
They've had to undergo extensive C&A processes to ensure the integrity 
of their operation, and they've also had to shell out some big money to 
Microsoft and Netscape to have their root certificates installed and 
trusted into their browsers.

>Alas, the *BROWSER* makes it sound like the whole thing is very shady, when,
>in reality, if you trust the web-site (certainly more than I trust
>Microsoft!) then it's just as secure.

The browser *should* issue a warning when the identity of the Web server 
it is about to communicate with cannot be guaranteed. You seem to be 
confused about where the trust lies. If I trust the Web site (hypothetical best friend's Web site), does that 
mean I should trust any certificate that is issued to 
What if the certificate's root CA was a criminal's PC? Are you *sure* 
that's your friend's Web site that you are communicating with?

However, if you do trust a certain CA (perhaps your own), you can import 
your root certificate into your browser and check some boxes to trust 
it. Luckily, browsers don't even allow a method for you to "trust" a 
domain name.

It is quite trivial to generate a certificate for It 
isn't too terribly difficult to make someone's computer think is your Web site. Here come the encrypted credit card 
numbers. Good thing they're secure. :)

The point is, PKI isn't about encryption alone. In fact, the "textbook" 
answer to the question of what services PKI provides is:

1. Identification
2. Authentication
3. Authorization
4. Integrity
5. Confidentiality
6. Non-Repudiation

If it only provided confidentiality, quite honestly, PKI would be 
useless as it is implemented today.

Happy hacking.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to