From: Damien.Doligez@inria.fr (Damien Doligez)
Date: Thu, 17 Aug 95 07:04:41 PDT
To: cypherpunks@toad.com
Subject: Re: SSL challenge -- broken !
Message-ID: <9508171404.AA02355@couchey.inria.fr>
MIME-Version: 1.0
Content-Type: text/plain


>From: Joe Buck <jbuck@Synopsys.COM>
>However, I disagree with your conclusion:
[...]
>There's plenty of stuff that *does* need protection, but I'm not sure
>credit card #'s head the list.

You're right, of course, if you discount the hassle of getting the
transactions cancelled whenever your credit card number is used
fraudulently.

I have much a better example (and a real one, too):

I have an account at Wells Fargo Bank near San Fransisco.  They
recently started offering web access to their customers.  That would
be great for me because banking by phone is pretty expensive when I'm
in France, and it's not always easy for me to understand American
accents.

So they would give me a password that I can use for some set of
operations.  I don't know which one exactly, but I would expect it to
include electronic transfers from my account to anywhere else.  The
password is protected by the SSL connection.  That would be fine if I
had the full SSL security, but in France I can only get the exportable
version of Netscape.  As a result, I won't be using this service.

There's the beginning of a market for full-SSL clients and servers
outside the US.  Maybe Netscape should go multinational right now.

-- Damien