Dave Howe [EMAIL PROTECTED] writes:
Ian G wrote:
none of the above. Using SSL is the wrong tool
for the job.
For the one task mentioned - transmitting the username/password pair
to the server - TLS is completely appropriate. However, hash based
verification would seem to be more secure,
Years ago, I could read instant win lottery cards and still leave them
as new by using the laser photoacoustic effect. A low-power chopped laser
beam is focused and line-scans the target while a microphone picks up
the acoustic waves caused by differential absorption of the laser light
as it
OK summing up: I think e2e secure, and secure by default.
On Fri, Aug 26, 2005 at 04:17:32PM -0400, Steven M. Bellovin wrote:
On the contrary -- I did say that I support and use e2e security. I
simply said that user-to-server security solves a lot of many -- most?
-- people's security
Steven M. Bellovin wrote:
Do I support e2e crypto? Of course I do! But the cost -- not the
computational cost; the management cost -- is quite high; you need
to get authentic public keys for all of your correspondents. That's
beyond the ability of most people.
I don't think it is that hard
Steven M. Bellovin wrote:
But this underscores one of my points: communications security is fine,
but the real problem is *information* security, which includes the
endpoint. (Insert here Gene Spafford's comment about the Internet,
park benches, cardboard shacks, and armored cars.)
*That*
