1995-09-21 - Re: first virtual “security” (!!) (was Re: Security Flaw Is Discovered In Software Used in Shopping)

Header Data

From: Laurent Demailly <dl@hplyot.obspm.fr>
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Message Hash: dd9b84871240924f65323eea361365c3cf9e6bb47e2782efb66c2a0e21567ec1
Message ID: <9509210232.AA09480@hplyot.obspm.fr>
Reply To: <v02120d1aac85dff6bc68@[]>
UTC Datetime: 1995-09-21 03:48:42 UTC
Raw Date: Wed, 20 Sep 95 20:48:42 PDT

Raw message

From: Laurent Demailly <dl@hplyot.obspm.fr>
Date: Wed, 20 Sep 95 20:48:42 PDT
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: Re: first virtual "security" (!!) (was Re: Security Flaw Is Discovered In Software Used in Shopping)
In-Reply-To: <v02120d1aac85dff6bc68@[]>
Message-ID: <9509210232.AA09480@hplyot.obspm.fr>
MIME-Version: 1.0
Content-Type: text/plain

You have excellent points in your detailed answer, thank you, but

If FV was as used as SSL could be, what prevents, to use your terms,
someone to get MILLIONS of FV's identifiers and use each one only
once, etc ... (imo your figures about SSL and crypto softs risks are
over evaluated, so I over evaluate the 'risks' of yours using same

There can't be more security by transferring data on the clear
compared to an encrypted one... except maybe that people using
encryption can often feel overconfident. So, as someone pointed out,
it is not that much a problem about CC# which are available easily
anyway, but in fact, using encrypted communications is the only way to
ensure (some) *privacy*, in addition to being a security improvement. A
problem is to avoid to fail on "customer expectation", especially when
you've created it. So probably there was too much focus and
advertising on security issues on the internet, by the very same
companies that prove later to fail, giving wrong expectation. Privacy
remains a goal anyway, and financial insecurity never was a problem as
long as it remains under a small %.

So I'd prefer to use crapy netscape 1.1 40 bits export SSL than your
system... Though what I'd really use is PGP :-)

Anyway, if you have happy customers, good for you... I'd suggest that
you'd use "Security through Clarity" as motto ;-)

Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|...  Freedom
Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept

fissionable SEAL Team 6 Kaser Sose nuclear Clinton domestic
disruption DST