Mailing List Archive
tlug.jp Mailing List tlug archive tlug Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]Re: [tlug] cacert question
- Date: Thu, 24 Feb 2011 13:30:32 +0900
- From: Raymond Wan <rwan.kyoto@example.com>
- Subject: Re: [tlug] cacert question
- References: <AANLkTi=2RaYdt1yqbF4=tjZKCfSaZ-kuOGT50sRSnhAd@example.com> <AANLkTimWRynCAbBbVCzhcqvEjB1OcD5B1xt6N+S7vOpJ@example.com> <AANLkTinz=E_DM7KLopuS2O+V+coP3+0VhPck-3RUHxXg@example.com> <AANLkTimMKBpd6gS9Xpn3WWrUWP2yYMrkETXabfYp4wzB@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Icedove/3.0.11
Hi Kalin, On 24/02/11 03:22, Kalin KOZHUHAROV wrote:Technically they could, but they have not as of now. See Requirement 4 about securing data in transit. As long as https is used, it is technically fine to use self-signed cert, or any strong certificate (i.e. not using compromised/low-grade crypto-algorithms). That is by the standard. When I do assess a system, I go one step further and look into how certificates are obtained, stored, installed, etc. Sometimes a client will demonstrate very well organized CA practices within their organization, so in a way a "self-signed" cert (=signed by the CA of the client that is root-CA) does make sense.I see -- in other words, it's not just about have the best lock that money can buy; it's also about whether or not you put the key to the lock under the "Welcome" mat in front of the door... :-)I haven't heard of a case (that doesn't mean there aren't any) where a certificate was really compromised because of bad RCA and as a result cardholder data leaked. All the phisinig schemes may involve certificates, but usually don't. When they do it, you only see a "funny" window in your browser asking to install and trust a new CA (at least the older browsers). You click OK and you are phished. Newer browsers add a bit more fanfare but don't be sure that granma will be bothered too much...Opps... :-) I've clicked OK sometimes, too, but never for use with a credit card. Usually to do something that (I think) is harmless like reading forums or some other text. Always makes me wonder why they went to the trouble of getting a certificate that isn't authorized or is no longer valid for something that seems harmless.Sometimes I find it odd that the security necessary for a web-based transaction is higher than the 4 digits for our bank PIN.It is not. The PIN you use comes together with the card, so it is already a two-factor authentication. (And NO, you should NEVER enter your PIN on a PC keyboard). Plus it is used over a secured channel when you use it at the ATM. Plus there is physical security of the ATM and often cameras (for auditing).Yes, I guess I was simplifying things significantly.And I'm sure someone has done some study that said if the PIN was longer, then we would less likely be able to remember it and then be "forced" to write it on the back of our bank card.A while back, I saw a TV show that said the reason US telephone numbers (this was a US TV show) had 7 digits was someone did a study and figured out that was the limit of people's memory. Can't remember where I saw it and how credible the whole news segment was.If you still have that receipt with all but the last 4 digits, I'll be happy to give this merchant a call and explain them (or their upstream provider) about PCI DSS requirement 3.3 for masking (leaving at most the first 6 and last 4 digits)No, I don't have it anymore; but I will keep this in mind in case it happens again. I don't remember which merchant it was.I hope that this late (i.e. early) hour is not very obvious in the clarity of my answers, LoL!Amazingly coherent for 3 am in the morning... :-) Thank you! Ray
- Follow-Ups:
- Re: [tlug] cacert question
- From: Stephen J. Turnbull
- References:
- [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Taisuke Yamada
- Re: [tlug] cacert question
- From: Raymond Wan
- Re: [tlug] cacert question
- From: Kalin KOZHUHAROV
Home | Main Index | Thread Index
- Prev by Date: Re: [tlug] cacert question
- Next by Date: Re: [tlug] Do you whitelist or blacklist utf-8?
- Previous by thread: Re: [tlug] cacert question
- Next by thread: Re: [tlug] cacert question
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links