[cap-talk] SSL protection racket
jed at nersc.gov
Tue Feb 26 14:30:43 EST 2008
On 2/26/2008 6:02 AM, John McCabe-Dansted wrote:
> On Tue, Feb 26, 2008 at 2:17 PM, Jed Donnelley <capability at webstart.com> wrote;)
>> Seems to me that all your criteria for a protection racket are
>> met. If you believe that "Simply throwing up irritating dialogs at
>> users does not count as <a threat to do> harm.", you must not have
>> experience with a business that lives off its Web site. Such
>> "irritating dialogs" can literally kill a Web site.
> Just use http. I've often browsed https websites, and Firefox tells me
> they have some security problem. But Firefox never tells me that http
> sites have security problems!
> Clearly http is much more secure. ;)
Heh. This might be OK except for the instances where we want
to protect information on the wire - such as login passwords.
We are required by policy to use end-to-end encryption to protect
such passwords on the wire. To my thinking there is a good reason
for such a policy - to thwart network sniffing of such sensitive
information. Got an alternative to https for such an end-to-end
encryption facility for a Web server? Remember that it must work
with all the widely available Web browsers that our customers are
likely to have on their desktops.
More information about the cap-talk