There's a very nice paper by Ross Anderson called "Why Cryptosystems fail" available at http://citeseer.nj.nec.com/9195.html - it's a crappy PDF file on the site ... I have a high quality original if anyone's interested.
The basic message is that trusting in technology does not give you security - SSL and PIN can all be bypassed with ease if you have the time or the desire ... there was a nice article on cryptome.org a while back about this. -- Edmund Cramp http://www.emgsrus.com/graffiti.htm > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of John Hebert > Sent: Monday, March 25, 2002 1:46 PM > To: [EMAIL PROTECTED] > Subject: SSL and security was Re: [brluglist] Yahoo E-Mail - Beware: > Non-Linux Related > > > Well, there's a big ole can of worms you are opening. > :) > > There are a number of security factors to consider > beyond SSL and pin numbers (authentication, > authorization, network security, etc, ad > infinitum,...), but for the sake of this discussion, > let's just consider SSL with a PIN. > > IMHO, for your needs, SSL (Secure Socket Layer) is > secure. I assume that Yahoo can support 128-bit SSL > encryption, so make sure your browser(s) use this. > Most new browsers do. If you want to know more about > SSL: http://www.openssl.org. Anybody know how long it > would take to decrypt 128-bit SSL? > > Now the PIN is another story. Treat the PIN just like > a password, which is basically what it is. I assume > that Yahoo keeps these PINs encrypted and secure in > their databases, but, who knows for sure? > > Also, make sure you have a good SSL connection > (https://...) with the little "gold key" icon whenever > you transmit secure data from your browser. > > John Hebert > > --- Kory Wnuk <[EMAIL PROTECTED]> wrote: > > As I am sure that many of you are aware, Yahoo is > > attempting to have users of the Yahoo mail system > > pay > > for POP access and mail forwarding. This is not an > > overly big deal to me personally. However, to pay > > for > > this service one is required to have a Yahoo > > "Wallet" > > account. This will allow all of my credit card > > numbers to be stored in one location for easy > > access. > > This is supposedly secure (SSL). This combined with > > a > > PIN is supposed to make me feel comfortable. Does > > anyone have any information regarding what level of > > security might be expected from a system such as the > > one I have briefly described? Thanks. > > > > -K > > > > ===== > > Contrary to what you may believe, I don't do > > Windows! > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Movies - coverage of the 74th Academy Awards® > > http://movies.yahoo.com/ > > ================================================ > > BRLUG - The Baton Rouge Linux User Group > > Visit http://www.brlug.net for more information. > > Send email to [EMAIL PROTECTED] to change > > your subscription information. > > ================================================ > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Movies - coverage of the 74th Academy Awards® > http://movies.yahoo.com/ > ================================================ > BRLUG - The Baton Rouge Linux User Group > Visit http://www.brlug.net for more information. > Send email to [EMAIL PROTECTED] to change > your subscription information. > ================================================ > ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================