[cap-talk] FW: x.509 -- MD5 considered harmful today
radix42 at gmail.com
Sat Sep 5 08:27:13 PDT 2009
My credit union, patelco, is one of the few banking institutions i've seen get this one right. Their entire site is ssl, including the front page. And the first time you login from a new network block the require an additional one-time verification code to be entered that is sent out-of-band via a previously chosen method (sms, email, phone).
No idea why the 'big boys' in banking can't do this 'correctly' when a tiny CU does (maybe because they are in the bay area and hired the right silicon valley geeks for the design).
From: Raoul Duke <raould at gmail.com>
Sent: Thursday, September 03, 2009 2:32 PM
To: General discussions concerning capability systems. <cap-talk at mail.eros-os.org>
Subject: Re: [cap-talk] FW: x.509 -- MD5 considered harmful today
> Recollect how much trouble we get into because people
> try to https only what matters, and http when it is safe
> to do so, and usually get it wrong.
furthermore, even if you get it right, it makes it a lot more obvious
what the crackers should be trying to crack when not everything is
encrypted by default?
cap-talk mailing list
cap-talk at mail.eros-os.org
More information about the cap-talk