[9457] in cryptography@c2.net mail archive
Re: [FYI] Did Encryption Empower These Terrorists?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Mon Sep 24 09:19:54 2001
Message-ID: <3BAEF028.883A045@algroup.co.uk>
Date: Mon, 24 Sep 2001 09:34:48 +0100
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: lynn.wheeler@firstdata.com
Cc: jim_windle@eudoramail.com, cryptography@wasabisystems.com,
Hadmut Danisch <hadmut@danisch.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
lynn.wheeler@firstdata.com wrote:
> The problems, of course are 1) account numbers are essentially shared
> secrets, 2) SSL only provides for protection for numbers in flight, 3) the
> numbers at rest remain a major exploit (as per press stories regarding
> copying of account number master files at web servers) ... aka the use of
> SSL/ecryption only addressed a small portion of the problem. The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk ...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk
This is simply bad design - there should be no "account number master
file" on the web server!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
