WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: Nick Owen <nowen () wikidsystems com>
Date: Tue, 28 Mar 2006 10:41:46 -0500
Ryan Barnett wrote:
Lyal, My comments about SSL not equating to a "secure site" was not directed at the PCI standard but rather those uninformed individuals who think that implementing SSL and posting a banner on their site has magically solved their web security problems. Here is a perfect, personal example of what I mean. This is a small excerpt from my book - */We're Secure Because We Use SSL: Missing the Point/* Back in February 2004, I decided make an online purchase of some herbal packs that can be heated in the microwave and used to threat sore muscles. When I visited the manufactures website, I was dutifully greeting with a message "We are a secure website! We use 128-bit SSL Encryption." This was reassuring. During my checkout process, I decided to verify some general SSL info about the connection. I double-clicked on the "lock" in the lower-right hand corner of my web browser and verified that the domain name associated with the SSL certificate matched the URL domain that I was visiting, that it was signed by a reputable Certificate Authority such as VeriSign and, finally, that the certificate was still valid. Everything seemed in order so I proceeded with the checkout process and entered my credit card data. I hit the submit button and was then presented with a message that made my stomach tighten up. The message is displayed below, however I have edited some of the information to obscure the both the company and my credit card data. The following email message was sent.
<big snip>
So as I think about this question, it seems that PCI should be
considered in its entirety, not just single sections, when it comes
to addressing risks.
I suspect that the merchant in your example was not and may still not be big enough to be required to meet the PCI requirements. Which brings up a problem with the PCI requirements: how does a user know that they are at a site which has met the PCI requirements? Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)