WebApp Sec mailing list archives
Re: Problems with most web app auth schemes
From: Ingo Struck <ingo () ingostruck de>
Date: Mon, 28 Jul 2003 00:51:01 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert,
The various web app schemes aren't trying to establish iron-clad security. They are trying to reduce the risk of loss to the client (customer) and server (merchant) to an acceptible level without being so intrusive that the clients won't attempt the transaction or be turned away. The reason we can't get better security for current systems is that they pass the "good enough" tests for most clients. Merchants and credit card companies have enough data to understand the loss rate. So long as they can recover that in the prices they charge, there's no reason to change (same thing applies to ATMs).
- From the insurance broker's point of view (which I can fortunately follow to some extent due to some decent knowledge of statistics) you are of course right - the loss of income you lower with improved "security" should always outweigh the investment in it... Alas, such an attitude - - is unsatisfactory from a theoretical point of view - - does not help to improve things basically The "good enough" policy is dangerous, because there are certainly always some attackers who are willing and able to exploit that on a large scale (just like all worst case scenarios: they are rather improbable but could be devastating if they occur) and it is dangerous because it might lower the overall trust in your system (some "victims" that you had in your calculation may be disappointed and not contented with the offered compensation). On the other hand it is not a real option from a "customers" point of view to pay the price for only "good enough" systems some supplier uses - in a long term calculation a "best possible" strategy will surely pay off better. Kind regards Ingo - -- ingo () ingostruck de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/JFdZhQivkhmqPSQRAmAyAJ988VgEdVnf8so069kd3XfVQiOemQCg0Iu1 S7E56p/bULbsAIHG9DQskmI= =QNaS -----END PGP SIGNATURE-----
Current thread:
- Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)