>>But unless you paid the $200 to get it from a CA, surfers will see a nasty
>>(and totally inaccurate/misleading) warning about how insecure it is.
>They should. To do otherwise would be inaccurate and misleading.
>>The transmission is no less secure -- It's that the web-server on the other
>>end was too cheap to pay the $200 for a CA key.
>No, the transmission is much less secure. You cannot be guaranteed the
>identity of the Web server you're communicating with. You think just
>because the HTTP transaction is encrypted that it is secure? What if
>you're encrypted transaction is taking place with some criminal? You
>still feel secure?
No, the *TRANSMISSION* is just as secure from snooping. It's the
*RECIPIENT* whom you trust, or not. Maybe they've hijacked DNS records and
are masquereding. Maybe they just didn't pay the $200. Maybe they paid
$200 and are crooks.
Do you really believe that for $200 (or $119, or $500) that they "proven"
>>Yes, the basic model for the security of all eCommerce is:
>>"You pay some large corporation $200, and they trust you."
>No, you pay some large corporation money, because the majority of
>browsers currently in use trust certificates issued by that corporation.
>They've had to undergo extensive C&A processes to ensure the integrity
>of their operation, and they've also had to shell out some big money to
>Microsoft and Netscape to have their root certificates installed and
>trusted into their browsers.
And for the $200, they do a background check on everybody, or what?
What's to stop a criminal from getting a $200 certificate? Nothing.
How do you *KNOW* that web-site isn't run by a criminal? How do you know
they aren't collecting credit-card numbers? How do you *KNOW* they aren't
storing them insecurely?
Fact is: All you *KNOW* is that they paid Thawte, Microsoft, or some other
large corporation $200. You don't know *anything* else about them.
>>Alas, the *BROWSER* makes it sound like the whole thing is very shady, when,
>>in reality, if you trust the web-site (certainly more than I trust
>>Microsoft!) then it's just as secure.
>The browser *should* issue a warning when the identity of the Web server
>it is about to communicate with cannot be guaranteed. You seem to be
>confused about where the trust lies. If I trust the Web site
>http://www.mybuddy.org/ (hypothetical best friend's Web site), does that
>mean I should trust any certificate that is issued to www.mybuddy.org?
>What if the certificate's root CA was a criminal's PC? Are you *sure*
>that's your friend's Web site that you are communicating with?
If I *TRUST* mybuddy.org, the I *TRUST* them not to install a Certificate
from a criminal's PC !!!
I *TRUST* them not to have non-repudiated Certificates floating around out
Conversely, if I don't know squat about mybuddy.org, all I know is they paid
somebody else I don't trust $200.
Maybe you just trust big corporations more than I do. I dunno.
All I know is, the "Trust Model" *IS*
Somebody I don't trust pays somebody else I don't trust $200. Period.
Doesn't instill a lot of faith in the system for *ME*. Might be enough for
you to have Faith, but not me.
>However, if you do trust a certain CA (perhaps your own), you can import
>your root certificate into your browser and check some boxes to trust
>it. Luckily, browsers don't even allow a method for you to "trust" a
>It is quite trivial to generate a certificate for www.amazon.com. It
>isn't too terribly difficult to make someone's computer think
>www.amazon.com is your Web site. Here come the encrypted credit card
>numbers. Good thing they're secure. :)
>The point is, PKI isn't about encryption alone. In fact, the "textbook"
>answer to the question of what services PKI provides is:
>If it only provided confidentiality, quite honestly, PKI would be
>useless as it is implemented today.
Do *YOU* trust the CA people to have thoroughly researched joesbotique.com
when you give them your credit card?
How do you know it's not a scam?
How do you know their certificate hasn't been stolen, and they haven't even
figured it out yet? How do you know they were trustworthy people in the
You only *KNOW* that somebody, somewhere, at some time, paid $200 for that
"Certificate" and that nobody has noticed something skanky about it -- at
least not yet.
The more I think about this, the more I agree with people who just won't do
eCommerce at all...
Like Music? http://l-i-e.com/artists.htm
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php