On Apr 22, 2004, at 23:07, Seth Breidbart wrote:
mathew <meta(_at_)pobox(_dot_)com> wrote:
On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
How come SSL certificates in HTTPS transactions can work? Aren't
they
reasonably analogous?
No; anybody can generate one. Somebody who wanted billions of valid
ones could just spend a little CPU time.
No, it doesn't work like that. If it did, SSL would be useless.
No, SSL encrypts.
SSL with certificates can also authenticate, and that's the kind of
functionality that's needed for e-postage.
Sure, I can generate a self-signed SSL certificate, but that's not
going to get me anywhere.
It does for a number of stores I shop at.
After all, what value does having a certificate signed by Verisign
actually provide?
It provides assurance that the system you are connecting to is one
approved by Verisign.
So, what value does e-postage signed by Verisign have? Well, it might
hypothetically have the value that Verisign will redeem it for cash.
Now, I notice you deleted my challenge, so let me re-state it. If you
think SSL certificates are worthless and easily bypassed, let's see you
generate one which my browser will accept without throwing up a warning
that it's bogus.
Ask yourself why phishing sites don't use SSL.
Why should they bother? Would it increase their success ratio?
It would if they could get the certificate to be accepted without any
warning, the connection to show as secure, and the certificate to state
that they really are the institution they're pretending to be. If they
could do that, they might fool people like me. But they can't, which is
the entire point.
mathew
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg