[WEB SECURITY] SSL does not = a secure website

Nick Owen nowen at wikidsystems.com
Tue Mar 28 10:41:46 EST 2006

Ryan Barnett wrote:
> Lyal,
> My comments about SSL not equating to a "secure site" was not directed
> at the PCI standard but rather those uninformed individuals who think
> that implementing SSL and posting a banner on their site has magically
> solved their web security problems.
> Here is a perfect, personal example of what I mean.  This is a small
> excerpt from my book -
> */We're Secure Because We Use SSL: Missing the Point/*
> Back in February 2004, I decided make an online purchase of some herbal
> packs that can be heated in the microwave and used to threat sore
> muscles.   When I visited the manufactures website, I was dutifully
> greeting with a message "We are a secure website!  We use 128-bit SSL
> Encryption."  This was reassuring.  During my checkout process, I
> decided to verify some general SSL info about the connection.  I
> double-clicked on the "lock" in the lower-right hand corner of my web
> browser and verified that the domain name associated with the SSL
> certificate matched the URL domain that I was visiting, that it was
> signed by a reputable Certificate Authority such as VeriSign and,
> finally, that the certificate was still valid.  Everything seemed in
> order so I proceeded with the checkout process and entered my credit
> card data.   I hit the submit button and was then presented with a
> message that made my stomach tighten up.  The message is displayed
> below, however I have edited some of the information to obscure the both
> the company and my credit card data.
> The following email message was sent.
<big snip>

>     So as I think about this question, it seems that PCI should be
>     considered in its entirety, not just single sections, when it comes
>     to addressing risks.

I suspect that the merchant in your example was not and may still not be
big enough to be required to meet the PCI requirements.  Which brings up
a problem with the PCI requirements: how does a user know that they are
at a site which has met the PCI requirements?


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list