[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Re: the e-postage argument

mathew <meta@pobox.com> wrote:
> On Apr 22, 2004, at 23:07, Seth Breidbart wrote:
>> mathew <meta@pobox.com> wrote:
>>> On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:
>>>>> How come SSL certificates in HTTPS transactions can work? Aren't 
>>>>> they
>>>>> reasonably analogous?
>>>> No; anybody can generate one.  Somebody who wanted billions of valid
>>>> ones could just spend a little CPU time.
>>> No, it doesn't work like that. If it did, SSL would be useless.
>> No, SSL encrypts.
>
> SSL with certificates can also authenticate, and that's the kind of 
> functionality that's needed for e-postage.

It _can_, but it doesn't for https necessarily.

>>> Sure, I can generate a self-signed SSL certificate, but that's not
>>> going to get me anywhere.
>> It does for a number of stores I shop at.
>> After all, what value does having a certificate signed by Verisign
>> actually provide?
>
> It provides assurance that the system you are connecting to is one 
> approved by Verisign.

And what value is "approval by Verisign"?  Aren't they the company
that once generated a bogus Microsoft certificate?

How much effort do they put into validating anyone who tries to buy a
certificate?

> So, what value does e-postage signed by Verisign have? Well, it might 
> hypothetically have the value that Verisign will redeem it for cash.

How do you prevent re-use?  Every recipient would have to query
Verisign immediately before accepting the email.  Do you really think
they could handle it?

> Now, I notice you deleted my challenge, so let me re-state it. If you 
> think SSL certificates are worthless and easily bypassed, let's see you 
> generate one which my browser will accept without throwing up a warning 
> that it's bogus.

Why should I bother?

>>> Ask yourself why phishing sites don't use SSL.
>> Why should they bother?  Would it increase their success ratio?
>
> It would if they could get the certificate to be accepted without any 
> warning, the connection to show as secure, and the certificate to state 
> that they really are the institution they're pretending to be. If they 
> could do that, they might fool people like me. But they can't, which is 
> the entire point.

Sure they could.  That's why they register domains that sort of look
like the company they're phishing.  Look at, for instance,
ebaysecurity.com; do you really think ebay registered a domain using
"freeservers.com"?

Seth

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg