[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: securing html forms



On Tue, 23 Jan 2001, Raju Mathur wrote:

> Having said that, guess how many of the millions of credit card numbers
> which have been stolen on the 'net were stolen while being transmitted
> to a server?  Yes, that's right: None!  The problems associated with
> snooping confidential information on public networks are so many, that
> 999 times out of 1000 it's much easier to just crack into the server
> where the CC numbers are stored and pick them up from there.  In other
> words, HTTPS/SSL is (usually) mostly marketing hype. 

I think this is the first time I have heard someone else say this.  Raj,
and other folks working with ISPs, could you tell me what kind of effort
would be required if you knew that I was downstream, about to log in by
telnet to my upstream Unix machine, and you wanted my passoword?

I am concerned about SSL mainly to secure traffic from a promiscous NIC on
my local rthernet, not on the wide, wide, world.

Of course, since I have not seen my view appreciated anywhere, I do use
ssh to connect to client machines ;-)

And re: Credit Card numbers, give me a break!!!  Every waiter and
restaurent cashier in SouthEx knows my Credit Card number, not to
mention the Petrol Pump walas.  And yet, people will flat refuse to send
it over the Internet.  As you pointed out, SSL is needded for public
confidence.


--
Sanjeev "ghane" Gupta                    Mob: +65 98551208
dotXtra Pte Ltd                          Fax: +65 2275776
Singapore                                email: ghane@xxxxxxxxxxx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~