Richard Lynch wrote:
>You can create your own SSL key pair very, very, very easily...
>But unless you paid the $200 to get it from a CA, surfers will see a nasty
>(and totally inaccurate/misleading) warning about how insecure it is.
They should. To do otherwise would be inaccurate and misleading.
>The transmission is no less secure -- It's that the web-server on the other
>end was too cheap to pay the $200 for a CA key.
No, the transmission is much less secure. You cannot be guaranteed the
identity of the Web server you're communicating with. You think just
because the HTTP transaction is encrypted that it is secure? What if
you're encrypted transaction is taking place with some criminal? You
still feel secure?
>Yes, the basic model for the security of all eCommerce is:
>"You pay some large corporation $200, and they trust you."
No, you pay some large corporation money, because the majority of
browsers currently in use trust certificates issued by that corporation.
They've had to undergo extensive C&A processes to ensure the integrity
of their operation, and they've also had to shell out some big money to
Microsoft and Netscape to have their root certificates installed and
trusted into their browsers.
>Alas, the *BROWSER* makes it sound like the whole thing is very shady, when,
>in reality, if you trust the web-site (certainly more than I trust
>Microsoft!) then it's just as secure.
The browser *should* issue a warning when the identity of the Web server
it is about to communicate with cannot be guaranteed. You seem to be
confused about where the trust lies. If I trust the Web site
http://www.mybuddy.org/ (hypothetical best friend's Web site), does that
mean I should trust any certificate that is issued to www.mybuddy.org?
What if the certificate's root CA was a criminal's PC? Are you *sure*
that's your friend's Web site that you are communicating with?
However, if you do trust a certain CA (perhaps your own), you can import
your root certificate into your browser and check some boxes to trust
it. Luckily, browsers don't even allow a method for you to "trust" a
It is quite trivial to generate a certificate for www.amazon.com. It
isn't too terribly difficult to make someone's computer think
www.amazon.com is your Web site. Here come the encrypted credit card
numbers. Good thing they're secure. :)
The point is, PKI isn't about encryption alone. In fact, the "textbook"
answer to the question of what services PKI provides is:
If it only provided confidentiality, quite honestly, PKI would be
useless as it is implemented today.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php