[9479] in cryptography@c2.net mail archive
Re: [FYI] Did Encryption Empower These Terrorists?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Sep 25 10:59:49 2001
Message-ID: <3BB04E45.208F9107@algroup.co.uk>
Date: Tue, 25 Sep 2001 10:28:37 +0100
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: cryptography@wasabisystems.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
lynn.wheeler@firstdata.com wrote:
>
> there are all sorts of shortcomings in this world. you find a "merchant"
> that buys a computer, installs some webserver software and puts it up and
> the web and expects that to handle everything.
Fine, but that was not the point you claimed to be making. You said:
> The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk ...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk
It is easy to avoid this piece of bad design, for example by
transferring asymmetrically encrypted order details to a back-end system
(via email is a popular choice).
Of course, the system is still vulnerable to trojan-style attacks (in
fact it seems to me that even this could be avoided with some cunning
client-side work - it would even be valuable to extend, say, SSL to
permit this - I wonder if it would be worth describing how this could be
done?).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
