[cap-talk] SSL protection racket
James A. Donald
jamesd at echeque.com
Tue Feb 26 16:47:20 EST 2008
Jed Donnelley wrote:
> we want to protect information on the wire - such as
> login passwords. We are required by policy to use
> end-to-end encryption to protect such passwords on the
> wire. To my thinking there is a good reason for such
> a policy - to thwart network sniffing of such
> sensitive information. Got an alternative to https
> for such an end-to-end encryption facility for a Web
> server? Remember that it must work with all the
> widely available Web browsers that our customers are
> likely to have on their desktops.
And that is the problem: Architecting security as layer
has not worked, because a lot of the relevant
information such as "is this page logged in" is not
available or not meaningful at the security layer.
Security on the web needs to be refactored, which is
difficult to do when we have widely deployed code.
More information about the cap-talk