[cap-talk] SSL protection racket - Petname Tool
lists at notatla.org.uk
lists at notatla.org.uk
Wed Feb 27 16:53:43 EST 2008
Sam Mason <sam at samason.me.uk> wrote:
> Maybe if CAs were a cost that was paid for by banks (the rationale
> being that it's generally their responsibility to cover the money lost
> when financial transactions err at the moment) and were not paid for by
> the person buying the SSL cert things would work, slightly, better. I
> personally believe a smaller scheme (like Petname) would work better.
Another interesting article on bank security work from Ross Anderson's group.
http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/
Part of the reason the banks tolerate poor security is that they're not
liable for the fraud loss - they get the chance to stick it on merchants and
customers.
More information about the cap-talk
mailing list