Juergen Rensen wrote:
>
> M2c: Credit card organizations and banks have successfully generated the
> image that strong encryption protecting from fraudaulent use of credit
> cards is solely in the interest of the customer. What the customer is
Hmm...I suspect its actually in the interest of the bank/cc org. They
want to have business, and the web will be booming. If they were to
sanction unencrypted transactions, and then someone stole card#'s
(e.g. sniffed packets), it would put a black mark on that cc org's
business practices. The fall out from brand image damage would be
not good.
> actually protected from is an increase in credit card fees, since the CC
> organization usually pays in case of a fraud, not the customer. A higher
> risk for the CCO would mean higher fees to retain their profit margins.
Actually, you missed a party - its the _business_ that is on the hook
for fraudulent use, is it not? Unless the business itself is fraudulent,
of course, in which case it goes back to the _bank_ (not cco) that
sponsored the merchant in the first place. At least I believe
in Canada/U.S. that is the case.
>
> As far as I know, there has never been a fraud by decrypting some
> electronic traffic, although with the more wide-spread use of SSL, faster
> hardware, etc, the possibilty is there. I feel that there is also some PR
> thing going on: Those capable of providing strong encryption (ie, financial
> institutions) are quick stating that 40-bit encryption is just not good
> enough (I guess they are right?). Everybody wants high and strong, not low
> and weak.
>
> Would some fortifying SSL proxy server work? Ie, browser talks 40-bit to
> SSL proxy, SSL proxy talks 128-bit to destination host. All very
> inconvenient though.
Well, sort of. Assumes that your proxy is on the same machine as your
browser. The further you remove it from the machine, the more
opportunity
you give someone else to sniff packets (unless I am missing something
basic.)
>
> Summary: Can someone please write a great browser based on OpenSSL and send
> me a copy? ;-)
Me too please ;-)
>
> Juergen
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
Thomas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
