>>But unless you paid the $200 to get it from a CA, surfers will see a nasty >>(and totally inaccurate/misleading) warning about how insecure it is. >> > >They should. To do otherwise would be inaccurate and misleading. > >>The transmission is no less secure -- It's that the web-server on the other >>end was too cheap to pay the $200 for a CA key. >> > >No, the transmission is much less secure. You cannot be guaranteed the >identity of the Web server you're communicating with. You think just >because the HTTP transaction is encrypted that it is secure? What if >you're encrypted transaction is taking place with some criminal? You >still feel secure?
No, the *TRANSMISSION* is just as secure from snooping. It's the *RECIPIENT* whom you trust, or not. Maybe they've hijacked DNS records and are masquereding. Maybe they just didn't pay the $200. Maybe they paid $200 and are crooks. Do you really believe that for $200 (or $119, or $500) that they "proven" themselves trustworthy? >>Yes, the basic model for the security of all eCommerce is: >> >>"You pay some large corporation $200, and they trust you." >> > >No, you pay some large corporation money, because the majority of >browsers currently in use trust certificates issued by that corporation. >They've had to undergo extensive C&A processes to ensure the integrity >of their operation, and they've also had to shell out some big money to >Microsoft and Netscape to have their root certificates installed and >trusted into their browsers. And for the $200, they do a background check on everybody, or what? What's to stop a criminal from getting a $200 certificate? Nothing. How do you *KNOW* that web-site isn't run by a criminal? How do you know they aren't collecting credit-card numbers? How do you *KNOW* they aren't storing them insecurely? Fact is: All you *KNOW* is that they paid Thawte, Microsoft, or some other large corporation $200. You don't know *anything* else about them. >>Alas, the *BROWSER* makes it sound like the whole thing is very shady, when, >>in reality, if you trust the web-site (certainly more than I trust >>Microsoft!) then it's just as secure. >> > >The browser *should* issue a warning when the identity of the Web server >it is about to communicate with cannot be guaranteed. You seem to be >confused about where the trust lies. If I trust the Web site >http://www.mybuddy.org/ (hypothetical best friend's Web site), does that >mean I should trust any certificate that is issued to www.mybuddy.org? >What if the certificate's root CA was a criminal's PC? Are you *sure* >that's your friend's Web site that you are communicating with? If I *TRUST* mybuddy.org, the I *TRUST* them not to install a Certificate from a criminal's PC !!! I *TRUST* them not to have non-repudiated Certificates floating around out there. Conversely, if I don't know squat about mybuddy.org, all I know is they paid somebody else I don't trust $200. Maybe you just trust big corporations more than I do. I dunno. All I know is, the "Trust Model" *IS* Somebody I don't trust pays somebody else I don't trust $200. Period. Doesn't instill a lot of faith in the system for *ME*. Might be enough for you to have Faith, but not me. >However, if you do trust a certain CA (perhaps your own), you can import >your root certificate into your browser and check some boxes to trust >it. Luckily, browsers don't even allow a method for you to "trust" a >domain name. > >It is quite trivial to generate a certificate for www.amazon.com. It >isn't too terribly difficult to make someone's computer think >www.amazon.com is your Web site. Here come the encrypted credit card >numbers. Good thing they're secure. :) > >The point is, PKI isn't about encryption alone. In fact, the "textbook" >answer to the question of what services PKI provides is: > >1. Identification >2. Authentication >3. Authorization >4. Integrity >5. Confidentiality >6. Non-Repudiation > >If it only provided confidentiality, quite honestly, PKI would be >useless as it is implemented today. Do *YOU* trust the CA people to have thoroughly researched joesbotique.com when you give them your credit card? How do you know it's not a scam? How do you know their certificate hasn't been stolen, and they haven't even figured it out yet? How do you know they were trustworthy people in the first place? You only *KNOW* that somebody, somewhere, at some time, paid $200 for that "Certificate" and that nobody has noticed something skanky about it -- at least not yet. The more I think about this, the more I agree with people who just won't do eCommerce at all... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
