[WEB SECURITY] SSL does not = a secure website
nowen at wikidsystems.com
Tue Mar 28 10:41:46 EST 2006
Ryan Barnett wrote:
> My comments about SSL not equating to a "secure site" was not directed
> at the PCI standard but rather those uninformed individuals who think
> that implementing SSL and posting a banner on their site has magically
> solved their web security problems.
> Here is a perfect, personal example of what I mean. This is a small
> excerpt from my book -
> */We're Secure Because We Use SSL: Missing the Point/*
> Back in February 2004, I decided make an online purchase of some herbal
> packs that can be heated in the microwave and used to threat sore
> muscles. When I visited the manufactures website, I was dutifully
> greeting with a message "We are a secure website! We use 128-bit SSL
> Encryption." This was reassuring. During my checkout process, I
> decided to verify some general SSL info about the connection. I
> double-clicked on the "lock" in the lower-right hand corner of my web
> browser and verified that the domain name associated with the SSL
> certificate matched the URL domain that I was visiting, that it was
> signed by a reputable Certificate Authority such as VeriSign and,
> finally, that the certificate was still valid. Everything seemed in
> order so I proceeded with the checkout process and entered my credit
> card data. I hit the submit button and was then presented with a
> message that made my stomach tighten up. The message is displayed
> below, however I have edited some of the information to obscure the both
> the company and my credit card data.
> The following email message was sent.
> So as I think about this question, it seems that PCI should be
> considered in its entirety, not just single sections, when it comes
> to addressing risks.
I suspect that the merchant in your example was not and may still not be
big enough to be required to meet the PCI requirements. Which brings up
a problem with the PCI requirements: how does a user know that they are
at a site which has met the PCI requirements?
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity