[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL weakness affecting links from pa



Bill Stewart, ever the realist, despite the futility
of rational thought in confronting today's world, wrote:
> 
> At 01:54 AM 4/11/97 -0500, ARTURO GRAPA YSUNZA <[email protected]> wrote:
> >See http://www.Microsoft.com/security/
> >under "Credit Card Security Concerns and Microsoft's Response"
> >for Microsoft's response on the SSL GET/POST weakness. �Any opinions?
> 
> I was highly unimpressed with Microsoft's Response:
>         "It's Not A Security Flaw"
>         "But Everybody Important Works Around It"
>         "And we're fixing it in the next release"
> without providing much detail about what's going on.
> It does indicate what to look into to avoid it when writing web pages,
> but it doesn't say how to avoid it when entering your credit card number
> into a web page, or what to look for as a non-programmer user.

  Bill seems to be one of the few people to realize that tips and
tricks for experienced programmers does nothing at all for the
common user, who has no way of discerning which of the programs
and sites that they access are indeed compensating for a system
which contains a plethora of basic faults.

  When facing a firing squad, there is little comfort in knowing
that only one or two of the rifles contain real bullets.
  Pardon me for suggesting that the average user will realize that
he need not volunteer to face the firing squad if he doesn't want
to. The 10,000 people who enter their credit card number at a
web page prompt won't be on the nightly news. The guy or gal whose
life was ruined when they did so, will be.
  Does anyone care to estimate what percentage of the 10,000 who
didn't get totally screwed will think twice before using their
credit card on the web again?
-- 
Toto
"The Xenix Chainsaw Massacre"
http://bureau42.base.org/public/xenix/xenbody.html