Привет!
Chris Shiflett wrote:
> Richard,
>> Do you really believe that for $200 (or $119, or $500) that they "proven"
>> themselves trustworthy?
LOL no, I don't. As a matter of fact crooks usually have more money in
their pockets than honest people do, so it's highly possible that a
crook will pay the money while the innocent will save his last cent :))
> Now you've changed from "secure" to "secure from snooping." Notice the
> difference? It is significant. Like I said before, encrypting the
> transmission is useless by itself. To put it plainly:
>
> encryption != security
>
> What if you trust your friend who owns safeplace.org, and you want to do
> business with him? Maybe you visit his site and enter a credit card
> number somewhere. Thankfully, you notice that the lock icon is showing,
> and that he is using SSL. With this warped idea of SSL where encryption
> is all that counts, what if you find out that you're not really on
> safeplace.org? You're really at evilcriminal.org, and he has a virtual
> domain setup for safeplace.org. Also, he generated his own certificate
> for safeplace.org using his own CA (good thing there was not C&A process
> to undergo). So you have now sent the evil criminal your credit card
> number because you trusted his domain name. Good thing it's secure, right?
So, let's see if I got you right:
1) SSL just says we our packets are difficult to open, that is,
they are encrypted. Nothing more
2) Our packets are difficult to open but they are totally open
to Uncle Sam's control software, as the RSA thingy cannot
shield them from "governmental inspection", which makes sense
if you are writing software for an american citizen but
it's pretty annoying if your customer is from somewhere else.
3) A key is nothing more than a negotiation token, a mere building
brick that is used to fire the process.
4) the "trust" you buy is something like a fixed IP number, that is
the guys in the major do certify that you *are* who you pretend
to be.
5) If the one I am pretending to be is a criminal, being trusted by
Verisign (or whoever in their place) won't make any difference.
Their "license" just means that you are really dealing with those
you think you are dealing with and that they do bear legal
responsibility for whatever will happen in the transaction.
Again, legal action will eventually have different
results depending on where the trusted company is based, since
not all countries have the same normative set. But that has
nothing to do with the SSL protocol in itself.
Now, there's a question regarding point 4). What if someone from
www.goodguys.com
gets the certified key pair and hands it over to some crook outside the
company? I hope this is not just as easy as it sounds (the key pairs
will probably check something in the environment before starting to
shout "YEAAAH!! IT'S MEEE!!!") but still...
As for point 2), please get me right. I have my own political opinions
as anybody
else, but my concern here is a professional one, since my customers are 99%
not americans. Small-mid sized companies (including mine) usually do not
give a
damn about having their messages read by american eyes (we are simply
not worth the trouble of looking in our archives) but large companies
and Govt. organizations are *much* less indifferent to the subject, and
I guess it's understandable, they want their privacy to be for real.
пока
Альберто
Киев
--
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
