[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] SSL does not = a secure website

From: Nick Owen <nowen@xxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 10:41:46 -0500

Ryan Barnett wrote:
> Lyal,
> My comments about SSL not equating to a "secure site" was not directed
> at the PCI standard but rather those uninformed individuals who think
> that implementing SSL and posting a banner on their site has magically
> solved their web security problems.
>  
> Here is a perfect, personal example of what I mean.  This is a small
> excerpt from my book -
>  
> 
> */We're Secure Because We Use SSL: Missing the Point/*
> 
> Back in February 2004, I decided make an online purchase of some herbal
> packs that can be heated in the microwave and used to threat sore
> muscles.   When I visited the manufactures website, I was dutifully
> greeting with a message "We are a secure website!  We use 128-bit SSL
> Encryption."  This was reassuring.  During my checkout process, I
> decided to verify some general SSL info about the connection.  I
> double-clicked on the "lock" in the lower-right hand corner of my web
> browser and verified that the domain name associated with the SSL
> certificate matched the URL domain that I was visiting, that it was
> signed by a reputable Certificate Authority such as VeriSign and,
> finally, that the certificate was still valid.  Everything seemed in
> order so I proceeded with the checkout process and entered my credit
> card data.   I hit the submit button and was then presented with a
> message that made my stomach tighten up.  The message is displayed
> below, however I have edited some of the information to obscure the both
> the company and my credit card data.
> 
> The following email message was sent.
<big snip>

>     So as I think about this question, it seems that PCI should be
>     considered in its entirety, not just single sections, when it comes
>     to addressing risks.
>      

I suspect that the merchant in your example was not and may still not be
big enough to be required to meet the PCI requirements.  Which brings up
a problem with the PCI requirements: how does a user know that they are
at a site which has met the PCI requirements?

Nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] SSL does not = a secure website
  - From: Ryan Barnett
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Lyal Collins
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Ryan Barnett

Prev by Date: Re: [WEB SECURITY] SSL does not = a secure website
Next by Date: [WEB SECURITY] Panel discusses app security at TheServerSide Java Symposium
Previous by thread: Re: [WEB SECURITY] SSL does not = a secure website
Next by thread: RE: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org