1997-04-12 - Re: SSL weakness affecting links from pa

Header Data

From: Toto <toto@sk.sympatico.ca>
To: Bill Stewart <stewarts@ix.netcom.com>
Message Hash: e897d0edc765ff48d082b2039853b583bb1fc245e1f1b96b7af08259341a7729
Message ID: <334F3961.15AD@sk.sympatico.ca>
Reply To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
UTC Datetime: 1997-04-12 07:41:36 UTC
Raw Date: Sat, 12 Apr 1997 00:41:36 -0700 (PDT)

Raw message

From: Toto <toto@sk.sympatico.ca>
Date: Sat, 12 Apr 1997 00:41:36 -0700 (PDT)
To: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
Message-ID: <334F3961.15AD@sk.sympatico.ca>
MIME-Version: 1.0
Content-Type: text/plain


Bill Stewart, ever the realist, despite the futility
of rational thought in confronting today's world, wrote:
> 
> At 01:54 AM 4/11/97 -0500, ARTURO GRAPA YSUNZA <agrapa@banamex.com> wrote:
> >See http://www.Microsoft.com/security/
> >under "Credit Card Security Concerns and Microsoft's Response"
> >for Microsoft's response on the SSL GET/POST weakness. ¿Any opinions?
> 
> I was highly unimpressed with Microsoft's Response:
>         "It's Not A Security Flaw"
>         "But Everybody Important Works Around It"
>         "And we're fixing it in the next release"
> without providing much detail about what's going on.
> It does indicate what to look into to avoid it when writing web pages,
> but it doesn't say how to avoid it when entering your credit card number
> into a web page, or what to look for as a non-programmer user.

  Bill seems to be one of the few people to realize that tips and
tricks for experienced programmers does nothing at all for the
common user, who has no way of discerning which of the programs
and sites that they access are indeed compensating for a system
which contains a plethora of basic faults.

  When facing a firing squad, there is little comfort in knowing
that only one or two of the rifles contain real bullets.
  Pardon me for suggesting that the average user will realize that
he need not volunteer to face the firing squad if he doesn't want
to. The 10,000 people who enter their credit card number at a
web page prompt won't be on the nightly news. The guy or gal whose
life was ruined when they did so, will be.
  Does anyone care to estimate what percentage of the 10,000 who
didn't get totally screwed will think twice before using their
credit card on the web again?
-- 
Toto
"The Xenix Chainsaw Massacre"
http://bureau42.base.org/public/xenix/xenbody.html







Thread