Richard Lynch wrote: >You can create your own SSL key pair very, very, very easily... > >But unless you paid the $200 to get it from a CA, surfers will see a nasty >(and totally inaccurate/misleading) warning about how insecure it is. >
They should. To do otherwise would be inaccurate and misleading. >The transmission is no less secure -- It's that the web-server on the other >end was too cheap to pay the $200 for a CA key. > No, the transmission is much less secure. You cannot be guaranteed the identity of the Web server you're communicating with. You think just because the HTTP transaction is encrypted that it is secure? What if you're encrypted transaction is taking place with some criminal? You still feel secure? >Yes, the basic model for the security of all eCommerce is: > >"You pay some large corporation $200, and they trust you." > No, you pay some large corporation money, because the majority of browsers currently in use trust certificates issued by that corporation. They've had to undergo extensive C&A processes to ensure the integrity of their operation, and they've also had to shell out some big money to Microsoft and Netscape to have their root certificates installed and trusted into their browsers. >Alas, the *BROWSER* makes it sound like the whole thing is very shady, when, >in reality, if you trust the web-site (certainly more than I trust >Microsoft!) then it's just as secure. > The browser *should* issue a warning when the identity of the Web server it is about to communicate with cannot be guaranteed. You seem to be confused about where the trust lies. If I trust the Web site http://www.mybuddy.org/ (hypothetical best friend's Web site), does that mean I should trust any certificate that is issued to www.mybuddy.org? What if the certificate's root CA was a criminal's PC? Are you *sure* that's your friend's Web site that you are communicating with? However, if you do trust a certain CA (perhaps your own), you can import your root certificate into your browser and check some boxes to trust it. Luckily, browsers don't even allow a method for you to "trust" a domain name. It is quite trivial to generate a certificate for www.amazon.com. It isn't too terribly difficult to make someone's computer think www.amazon.com is your Web site. Here come the encrypted credit card numbers. Good thing they're secure. :) The point is, PKI isn't about encryption alone. In fact, the "textbook" answer to the question of what services PKI provides is: 1. Identification 2. Authentication 3. Authorization 4. Integrity 5. Confidentiality 6. Non-Repudiation If it only provided confidentiality, quite honestly, PKI would be useless as it is implemented today. Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
