[2849] in WWW Security List Archive
Re: SSL and certificates
daemon@ATHENA.MIT.EDU (hallam@ai.mit.edu)
Thu Aug 29 18:32:21 1996
From: hallam@ai.mit.edu
To: Www-Security@ns2.rutgers.edu
Cc: hallam@ai.mit.edu
Date: Thu, 29 Aug 96 16:53:27 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
One of the reasons why Web security hasn;t got very far is that none
of the original proposals actually addressed the key problem of the market.
Originally the worry was about collaboration over the net which is what
S-HTTP and Shen were about. SSL solved the problem of the internet shopping
mall - but not that of the CC companies.
Talk of credit card numbers in the clear is utterly irrelevant. The fact is
that the CC companies are not worried by sending CCs in the clear. What
worries them is the thought that internet mall administrators will store
large databases of verified CC information on machines connected to the
internet.
In short the CC companies were not worried by customer fraud, merchant fraud
was a far greater worry and (although they wouldn't say it) bank fraud
was bigger still. Thats not to suggest that the CCs thought that there
were large numbers of banks out there like BCCI, they were affraid of
fraud by employees of the various banks.
All this put together meant that the only real solution to the problem was to
ensure that the acquiring bank and the merchant would never see the actual
credit card number (except for the first and last four digits).
Phill
