...

View Full Version : Is the internet really insecure?



Philip M
01-23-2003, 07:07 PM
I would be grateful for authoritative views or comment on the following:-

It is widely believed that the internet is insecure and that geeks and criminals are somehow able to pluck email transmissions out of the ether, and in particular are able to alter messages and/or steal unencrypted credit card data. I believe that this is an urban myth, and that it requires the vast technical resources of the CIA or GCHQ to intercept emails (and 300,000 emails a second are sent in the UK!).

Does anyone know of any instance (within say the last 10 years) where this has actually happened (other than to "a friend of a friend")?

I have a small business which receives about 5 orders a day via the internet. I do accept that the risks are far higher for a (say) a bank or a major retailer which may be targetted by sophisticated criminals, but I do not believe that the internet is any more insecure than telephone, fax or ordinary letter mail. Of course, I accept that in theory a dishonest employee might conceivably intercept a communication, just as in theory an engineer might
tap your telephone line or a postal employee might steal your letter mail.

Would anyone care to convince me that I am wrong?

I do appreciate that there are many scams involving credit cards, but is email interception really one of them?

mouse
01-23-2003, 08:35 PM
Emails can be nabbed "out of the ether". Do not use email for anything such as credit/debit card transactions, even if they're disguised or weakly encrypted.

SSL 128bit encryption - which is what you should be doing with credit card payments etc. - is not unbreakable, no encryption is, but it'd take a multinational company with mahoosive cpu(s) power to break, even then taking weeks rather than hours.



* mahoosive is a technical term btw ;)

Majik_Dance
01-23-2003, 08:43 PM
1.21 Mahoosive?! 1.21 Mahoosive?!

What the heck is a Mahoosive?!

** as Majik_Dance attempts to continue a thread from elsewhere in this forum :D **

On a more serious note, I echo what mouse has stated; no encryption is unbreakable - just a matter of time and resources.

zoobie
01-24-2003, 04:34 AM
...and if you actually think 300,000 emails are sent every second in the UK, then you'll believe anything. I have some killer beachfront property in Arizona I'd like to sell you...It's beautiful...complete with elephants and martians. ;)

mouse
01-24-2003, 02:52 PM
Dunno about 300k per second, it might be more than that... but I do know MI5 have a center monitoring all internet transmission and encrypted email can get you two years doing porridge if you don't give them the key.

I never order online unless I see the padlock. Neither should you ;)

brothercake
01-24-2003, 03:25 PM
Originally posted by mouse
encrypted email can get you two years doing porridge if you don't give them the key.


Except that RIP is legally unenforceable, as they'll discover when the first test case appears .... RIP puts the onus of proof on you - prove you haven't got a key. But how can you do that?

An organisation (I forget the name) sent the then Home Secretary Jack Straw an encrypted document which contained a confession to a crime - then destroyed the key. Now the onus of proof is on him to prove he hasn't got the key, which of course he can't - there could be a key anywhere; on a disk in his office; squirelled away on the internet; anywhere.

Ridiculous ... just another example of knee-jerk legislation based on ignorance and media frenzy. If government policy was on /. I'd mark it "-5: demonstrably incorrect, and laughably so"

cg9com
01-24-2003, 04:56 PM
Originally posted by zoobie
I have some killer beachfront property in Arizona I'd like to sell you...It's beautiful...complete with elephants and martians. ;)

ooh ooh over here!
a beach in Arizona that must be a nice place!

Philip M
01-24-2003, 06:59 PM
Originally posted by mouse
Emails can be nabbed "out of the ether". Do not use email for anything such as credit/debit card transactions, even if they're disguised or weakly encrypted.


I am afraid that unless you can give me some hard information about how the interception is done, I do not believe you. As I say, I think that it is an urban myth. Possibly manufactured by people who would like to sell solutions to non-existent problems (such as the Y2K scare).

I do agree that almost any encryption can be cracked if enough resources are applied to it, but who is going to spend hours to get just one lousy credit card number, when he could make it up. There are far more rewarding credit card scams than that!

E.g. 5400 0000 0000 0500 is a "valid" number which I have just this minute manufactured.

Here is a genuinely valid credit card number (mine!) "weakly" encrypted by my order form (average of 5 orders a day):-

e279c573247b84692a6bd71ad399d27058a96e4

As I say, that encrption CAN be broken but I'll bet that no-one here will be willing to devote the time required to decypher it.

But in any case I am saying that I believe that in the real world no-one can intercept the communication anyway.

A I say, please don't simply assert that emails are insecure - that is just repeating the urban myth. I am willing - eager almost - to be convinced otherwise, but I will not believe it unless someone can specify an instance where an email (properly addressed of course) HAS actually been intercepted by a criminal or fraudster.

Every time you visit a petrol station the clerk gets a copy of your credit card details and your signature as well. In a restaurant your card may be taken away to be processed, and may be swiped twice - this has actually happened to me. This and other scams seem to me to be infinitely more probable than interception of emails or order forms.

If I understand it correctly, SSL provides very secure encryption as between the customer and the server (ISP) at which point the message is decrypted, and consequently no security at all as between the server and the remote merchant's computer, the message being sent on this stage as plain text. Or have I misunderstood?

Zoobie - the 300000 emails a second which I quoted probably includes text messages. In any case, there surely are a very large number of them! But I agree that people will believe any silly assertion if it is made by a so-called expert (or in a newspaper!), which brings us back full circle!

Feyd
01-24-2003, 07:29 PM
Philip, it is no problem to intercept packets and piggyback transmissions from specific ISP subscribers and users or a cross-section of traffic on a node, which includes emails...I did it all the time when I was younger, and far too many other things to remember now...

zoobie
01-24-2003, 07:37 PM
There are ways to monitor the server and when the email is sent, intercept. Also, there are warez available to hack into existing accounts. Sending yourself the credit-card number encrypted in which only you have the key seems pretty secure but not as good as SSL. You can always change the key once or twice a month, too.

I discovered a huge flaw in Paypal big enough to drive a lorrie through. As a matter of fact, I downloaded some software last night for the first time testing this method without paying and it worked. I am contacting the webmaster after this post.

But Covers is right...Letting your users know you've spent the time and effort for SSL security will instantly lead to more sales. With the cost of certificates coming down to $15-25, it only makes good business sense. :)

For a good source of links, news, and facts, try www.emailtoday.com :D

Shift4Sms
01-24-2003, 07:56 PM
To answer your question: Most of the gloom and doom you hear about Internet security (or lack thereof) is media hype BUT it is not an urban myth -- stealing of unencrypted data on the Internet can and has happened.

I know there are case examples around but I do not have the time to look them up right now. I can tell you this though; by sending sensitive data unencrypted via e-mail you are SIGNIFICANTLY increasing the chances of a fraudster getting the information. Just because a hole is not exploited does not mean that you don't have a hole! Can you or the merchant you are developing/maintaining a site for afford the bad press if and when it does get exploited?

While I don't promote sending sensitive data by any means unencrypted, HTTP has less chances of being sifted than e-mail messages. Reason being, most e-mail servers write incoming messages to log files before forwarding the messages while HTTP traffic is usually routed directly without logging (or at least not in the same detail as e-mail messages). Give me 10 minutes of access to your primary e-mail server and I will show most, if not all, the orders you processed over the last month, including full credit card info.

As Coverz stated, I'm surprised that you have 5 orders a day via e-mail -- unless the customers don't know that their information is being sent via insecure means (SSL to web server to e-mail message to merchant).

firepages
01-25-2003, 12:14 AM
& there are lots of little Feyd's out there :D

realistically though there is more chance of your server being compromised and data stolen from that than by someone intercepting your email ...

but you only need to get sued once for it to matter ;)

One of the sites I work on has no SSL yet takes credit-card information, the owners know exactly what I think about this but the customer is always right '!'

however of all the sites I work on this has by far the biggest number of transactions ! , I think its a question of trust, the site in question is the web-front end of a magazine, its readers I assume know and trust it and don't appear to think twice about submitting thier CC details ! (though I am sure it would be busier if they did)

For my part I split the CC num & char data, store half of it encrypted on the server and send the other half encrypted via email. - the encryption is weak but never having the full CC data in one place makes it harder for someone to get lucky.

For anyone to get all the data required they would need to compromise the server, which again is the most likely starting point for anyone trying to get at ya.

Shift4Sms
01-25-2003, 12:49 AM
One of the sites I work on has no SSL yet takes credit-card information, the owners know exactly what I think about this but the customer is always right '!'
Don't worry, I'm not a credit card G-man :cool: but technically, the merchant is not "right". It is against VISA and MasterCard regulations to accept credit card information over the Internet unencrypted.

It's rare to hear of VISA or MasterCard pro-actively enforcing this rule but if a cardholder complains about being a fraud victim (whether or not the web site is responsible for the fraud), be assured that they do re-active enforcement which usually results in a fine and/or immediate suspension of the merchant account.

firepages
01-25-2003, 02:07 AM
Originally posted by Shift4Sms
be assured that they do re-active enforcement which usually results in a fine and/or immediate suspension of the merchant account.

Of that I have no doubt and I have told them that more than once - + the cost of doing SSL is minimal ... one day I will get them there.

Philip M
01-25-2003, 08:58 AM
Thank you, everyone. I am obliged for all the information and I understand the technicalities better now.

"......realistically though there is more chance of your server being compromised and data stolen from that than by someone intercepting your email ... "!

I use a very well-known UK ISP, and I find it hard to believe that their server can be "compromised"! It seems as far-fetched as to suggest that my telephone is constantly being tapped by a criminal.

With the utmost deference and respect, I do have the vague sensation that Shift4sms (Creators of $$$ ON THE NET(tm) credit card processing services) could possibly have an axe to grind!

I have made the point that the credit card information on
my order form is encrypted as I described. The form is submitted via FormMail.cgi (is this the same as email? - the form is sent to me from the ISP server as email). To make it crystal clear, I am not claiming that the encryption cannot (relatively easily but still with difficulty) be broken - I am saying that it is not possible for a criminal to intercept the data in the first place.

Although I have no technical expertise at all, and respect the information you have all given, I have to say that I still feel that there is a an element of the Loch Ness Monster about this - it is widely believed to exist, and quite a few claim to have actually seen it. But no-one can produce a photograph or one of its scales! ("....... I know there are case examples around but I do not have the time to look them up right now......."). This suggests that email interception cannot be widespread.

"I think its a question of trust". Quite so. In my very specialised business I am sure that applies. In any case one ought never supply credit card information to merchants you do NOT trust, whether encrypted or not!

For those who prefer it I offer a paper order form which the customer can print out and send in by street mail. A few people take advantage of this. But we get quite a lot of orders in addition to those submitted by the (semi-secure) on-line order form by simple email, so not everyone is paranoid. And I ought to add that we get another 15-20 orders a day by street mail, fax and telephone.

"....the cost of certificates coming down to $15-25..." But I have been quoted 400 a year by my ISP to have SSL and https. To be blunt, I cannot afford this additional overhead. I see it as overkill.

Thank you again for your various comments. As I say, I am still not convinced that geeks and criminals really can target and intercept emails or form submissions, but I accept that it might have happened. If it really can be done, why is it not done more often by all the little Feyds out there, and why can no-one here (surely the most knowledgeable people) point to an actual instance?

A final thought - if it was possible to intercept emails, the potential pickings (confidential financial information, blackmail or embarrassment opportunities etc.) would be far more than the odd credit card number.

firepages
01-25-2003, 10:09 AM
google it (http://www.google.com.au/search?hl=en&ie=ISO-8859-1&q=credit+card+numbers+stolen+hacked&meta=)


I find it hard to believe that their server can be "compromised"!

oh it can :) - MS get hacked nearly weekly - ok they are targets, Apache.org got hacked not that long ago - these people know what they are doing, if they are vunerable your ISP is vunerable.

I dont think that Shift4sms post was anything but valid whatever the intentions.

I dont think that data is compromised as often as many would like to beleive but it happens hundreds of times daily to the biggest and smallest of sites and when you imagine the possible consequences I think that a little paranoia is a good trait, and pretenting it is not there could end in tears ;)

Kiwi
01-25-2003, 10:43 AM
The possibility of intercepting a message is actually very small. The main reason for this is that messages are split into small packets for transmission. These packets can (and usually do) follow different routes between points A and B. To recreate a message from the transmission process would be difficult to say the least.

The weakneses on the system are at the major nodes (points where lots of traffic pass through) and at the termination points -- either end of the transmission. However, the termination points are bigger than you might expect -- packets are reassembled before they reach the server (and, therefore, before they reach your server's security).

Here the security is a big issue. If you get access to either the major nodes or either end of the transmission, then the internet protocols do all the interception/assemblage work for you and give you the results. More critically, at the terminal points, the data is actually stored. Accessing stored data is much easier (and more rewarding) than intercepting transmissions.

As for servers getting hacked -- all you have to do is leave alerts on for a firewall to see how many people are probing ports to see if they can find a vulnerability. Most of these are script kiddies using tools and relatively little knowledge. But some are people who actually know what they're doing. These are random attacks on your home pc. I've also watched the security monitors on a few large corporate networks; these are also constantly being probed.

These can and do lead to servers being compromised. You may not believe it, but this just makes it easier for someone to get in.

Philip M
01-25-2003, 11:07 AM
Thank you, Kiwi. Your explanation is very clear. We do make it clear on our website that we do not store any sensitive data on any computer connected to the internet. By this I mean that as soon as we receive an on-line order form we de-crypt it, print it out on paper, copy it to a floppy disk, and then at once delete it from OE. (I realise that it may be still there in the intersteces somewhere!). I have the usual Zone Alarm and our terminal is not permanently on-line.

To summarise what I understand you to say - interception of emails in transmission is (as I thought) virtually impossible. Hacking into the server to recover data stored there is much more possible, but of course a major ISP will have sophisticated defences in place. But even if that happens the credit card data in our order form is (weakly) encrypted as I have indicated. In the real world I do not believe that it can be decyphered (by which I mean no-one would think it worth the considerable time and effort to try to do so). (Perhaps Zoobie or Whammy will prove me wrong!). The steering lock on my car is not totally thief proof - but it deters 99.99% and encourages them to move on to an easier target.

Thank you once again for taking the time to explain all this.

Kiwi
01-25-2003, 01:58 PM
Originally posted by Philip M
Hacking into the server to recover data stored there is much more possible, but of course a major ISP will have sophisticated defences in place.That's not a safe assumption. Any server can be hacked; most far more easily than you seem to realise.

But even if that happens the credit card data in our order form is (weakly) encrypted as I have indicated. In the real world I do not believe that it can be decyphered (by which I mean no-one would think it worth the considerable time and effort to try to do so).If someone bothers to break into a server, then weak encryption is meaningless. If it can be broken (which it can -- and there are tools to do this), then someone with a list of encrypted numbers has a lot of motivation to do break it.

Let me put it another way: I wouldn't trust that security model. I wouldn't use it for running a site myself; I wouldn't send my credit-card details into a site using such weak security.

Shift4Sms
01-27-2003, 10:17 PM
...I do have the vague sensation that Shift4sms could possibly have an axe to grind!
Many times I do have an axe to grind but I thought I was just being helpful here -- I guess you are referring to my signature line?

My only advice was don't be naive in thinking that using unencrypted e-mail for transferring sensitive information is a small security hole. Provided that you stay small and off the radar of fraudsters, then your assumption that the risk is minimal "may" be correct. But there is a risk and the risk grows as your orders increase and you become a juicier target. As I stated before, can you afford the bad press if and when your security hole does get exploited?

Hacking into the server to recover data stored there is much more possible, but of course a major ISP will have sophisticated defences in place.
This is untrue and I have first hand knowledge. My family has a couple of businesses and on the side I developed and maintain their web sites using a "major ISP". Since I deal with security issues regularly in my day job, I decided to see how secure the server was that was hosting these sites -- It wasn't! With very little effort I was able to have complete access to the data and source of over 150 or so sites that were sharing each of the servers. The scariest part was when I notified the ISP about the holes; their response was "don't do that." Up until we switched ISP's, the holes were still wide open.

Shift4Sms
01-27-2003, 11:10 PM
But I have been quoted 400 a year by my ISP to have SSL and https.
Who are you using? While my exposure to what ISP's charge is limited, the three ISP's that I have dealt with directly all quoted Verisign's MSRP of a $200-$400 US a year and this was their preferred method (because they get a kick back from Verisign). But all three gave me the option to get my own certificate from about a half dozen or so certificate authorities -- for free. I pay $119 per year for a GeoTrust certificate and it works great.

I know there will be some discrepancy in what you pay and what I pay since you are in the U.K. and I'm in the U.S. but 400 a year seems like robbery! The robbery is emphasized by the fact that Thawte is cheaper than Verisign (even though they are the same company) and most likely, Thawte is who your ISP will use since they are the biggest CA in the U.K.

Also, many of the ISP's here provide for the use of a shared SSL cert for free if you're willing to put up with the lack of site authentication and only want SSL's encrypted pipe capabilities.

Philip M
01-28-2003, 07:06 PM
Thank you everyone for the information. I have noted the points and taken them on board as best I can. I must say that I am pretty surprised to learn that the servers of large and reputable ISPs can be hacked into as easily as you say - would it be naive to ask why this does not happen more often (continuously in fact!)? And are the ISPs unable to learn how to improve their security and prevent this?

I have no technical knowledge in this area at all, perhaps I am too trusting and too ignorant, but again I wonder why, if intercepting emails is as simple as alleged, it does not happen all the time. As I say, it is not just a matter of credit card details - juicy blackmail opportunities might well appear. And still no-one has been able to quote a specific example of this actually happening.

One might suppose that the Bank of England is insecure as well. After all, you might say that if anyone gained access to the vaults he would be able to walk off with as much gold as he could carry.

I don't want to prolong this thread (although I see that at 269 views it seems to have attracted some interest). I am very much obliged to everyone who has contributed - but I have to confess that in my heart I still believe that the scope for the interception of emails is rather similar to the reports of Mark Twain's death! Some of you may respond that the Catholic concept of "invincible ignorance" applies to me!

mouse
01-28-2003, 07:43 PM
I'd not worry so much about ISP hacks as the few dozen routers between you and the ISP, any data packet can be intercepted here. I'm unaware of legislation on the subject of intercepting transmission of data, although I'm not sure it falls under either the computer missues act or data protection act.

Really the only secure thing about email is in the numbers sent each day, this diminishes if a nasty-Feyd comes across a website using email for ecommerce and targets it.

Alot of people here, and previously at WA, have looked at e-commerce and balked at the initial expense, there are a few ways though... If I were you I'd investigate services from Worldpay, Netbanx etc, as a stepping stone to full SSL, you'd atleast find out whether you were losing custom through using the email system.

scroots
01-28-2003, 07:44 PM
I consider this to be a matter of the above two words because that is what it is all about.
People think that a major internet provider will have high security on it to stop hackers, because people think this people will not try where as they probably do not have major security.

Determination is the second word, if someone found around 200 people operating a service like yours (i`m not putting your service down) and they are discoverd to be on the same server, somebody who wants credit card numbers will be determined to hack into it. They hack in and can get all the numbers off previous and subsequent orders, if the hole isd`t noticed they could go on in theory for years.

So 5 orders a day 200 compaines =1000 Credit card numbers a day. one year = 365 000 credit card numbers.

that is just my two cents
scroots

oracleguy
01-29-2003, 12:20 AM
Originally posted by Philip M

E.g. 5400 0000 0000 0500 is a "valid" number which I have just this minute manufactured.

Here is a genuinely valid credit card number (mine!) "weakly" encrypted by my order form (average of 5 orders a day):-

e279c573247b84692a6bd71ad399d27058a96e4

As I say, that encrption CAN be broken but I'll bet that no-one here will be willing to devote the time required to decypher it.


I have two things to say on this issue. Firstly about your encryption... with a few more sets of characters I'm sure with a little effort it could be broken. Thats what it takes, patterns, you might not see it by looking at two of them or even ten. But there is one. And there is a reason why software like PGP costs so much.

Also... I work part-time for a non-profit organization and we take orders over the internet. And it was out of our budget to purchase a SSL certificate. So instead we juse use PayPal. Granted some people are wairy of PayPal because they, like lots of other high-profile internet companies are huge targets. So we also offer payment via snail mail. The point was, is that we concluded that it wouldn't be adviseable to have a non-secure form. And PayPal is releativily cheap too.

I know I certainly would not buy from an online form that wasn't SSL encrypted.

zoobie
01-29-2003, 08:33 AM
I'm sure you want to increase sales...I have 10+ years experience selling stuff from wine to waterbeds. :D Simply said, using SSL will increase your sales, period.

I agree that 400 bps seems a lot for a certificate. Only geeks will recognize a major player (thawte, verisign, geotrust) but you can use the U$15-25-49 ones @ www.freessl.com and www.instantssl.com They may not be recognized as well as the "big boys" (hardly anyone looks) but will do the job just as well and just as smoothly.

Using a shared SSL isn't recommended because of the huge warning pop-up saying the url's don't match on the certificate which scares away potential customers.

You could also look into PGP (pretty good privacy) encryption as an alternative...but that's another movie. :cool:

Shift4Sms
01-29-2003, 07:43 PM
Originally posted by zoobie:
Only geeks will recognize a major player (thawte, verisign, geotrust) but you can use the U$15-25-49 ones
As one geek talking to another (because only a geek would know about the little guys), while security wise these "little guys" are as secure as the "big guys" (they use the same encryption techniques), a big issue you overlooked is that "little guys" are also less known -- by people and browsers.

In the vein of "you'll increase sales by looking more legitimate", you mentioned that "Using a shared SSL isn't recommended because of the huge warning pop-up...", with many browsers, these "little guy" SSL certs will trigger a warning pop-up stating something to the effect that the SSL certificate is from an untrusted certificate authority -- do you want to trust them? To me, this is just as scary as "the certificate is valid but appears to be from a different domain."

I am not saying that using a shared SSL is any better that using a "little guy" SSL certificate. I'm just saying to weigh all the facts before blindly going down the cheapest (or most expensive, for that matter) solution route...

Philip M
01-29-2003, 09:15 PM
Kiwi says "The possibility of intercepting a message is actually very small. The main reason for this is that messages are split into small packets for transmission. These packets can (and usually do) follow different routes between points A and B. To recreate a message from the transmission process would be difficult to say the least."

mouse says "I'd not worry so much about ISP hacks as the few dozen routers between you and the ISP, any data packet can be intercepted here. "

erm......

One more time - I am not saying that my encryption cannot be broken given time and effort, and especially of course with multiple examples to work with.

With the greatest respect to all the very knowledgeable people in this forum, I am still not prepared to believe that the message containing the encrypted card number can be intercepted in the first place, either in transit or on my very reputable ISP's server. Possibly there are "minor players" or "cottage industries" which really are insecure. I would love to be shown to be wrong, but no-one has produced a single real, concrete, actual example of that happening.

It MAY have happened, at the dawn of the internet age, but as you say major retailers and financial institutions must be under constant attack - and they could not carry on if their data was insecure. I suspect that most claims to the contrary are hoaxes designed to embarrass some large corporation, e.g.-

I have just hacked into Megabank's computer and I can reveal that Bill Gates's personal MasterCard number is 5429 3007 1641 2918 Expires 10/04. This clearly shows: a) that I am much smarter than Megabank and can easily break through their security, and b) that Megabank is a lax organisation which cannot be trusted to keep your account details private. If you wish I will generate a thousand credit card numbers to "prove" that I have hacked into the bank's files.

To those who make the point that it is the customer's perception that counts, yes, I agree entirely. In the rather unusual context I don't think that SSL would generate a single order more - our customers are offered a whole range of ordering options, including requesting our digital ID and thus sending a secure email, splitting their credit card number over two or more emails, printing off an order form on paper and sending it by post, plus of course phone, fax and street mail, or any combination of these (some place email orders and then phone their card details through).

Anyway, at least the subject seems to have aroused some interest. Thanks again to all who have commented.

Kiwi
01-29-2003, 09:34 PM
mouse is correct, in that the major nodes do reassemble the message en route -- I was referring to the possiblity of intercepting the message without using the network architecture to do that. As I said before, you are opening yourself to very real security risks which will translate into very real legal risks (you have a legal duty of care that you are failing to meet that).

firepages
01-30-2003, 01:37 AM
I dont know which formmail you are using, lets say the most popular one on the web...

http://support.nildram.net/online.php/Notices/formmail.php

ok you or your provider may well have that sorted, but its another angle.

as is the possibility of someone installing a packet-sniffer on your network and sending copies of your email elsewhere.

Thing is , taking this thread as a whole you can probably see that there are a whole heap of ways that your data could be compromised, perhaps none are easy or even likely but each is possible, has already been exploited and will continue to be exploited.

Each possibility lowers the security of your application, and whilst I agree that there is a lot of hacking hype , it is still a real risk that should be accounted for.

Note that SSL itself is only part of the defence, most CC card numbers are grabbed from unsecure servers & databases (all Microsoft servers are inherintly insecure, that goes for MSSQL servers as well) https is only a facade of security if the rest of the system is not up to scratch.

point is there are too many things that are out of your control regarding security that again, a little paranoia is a good thing.

but yes its been an interesting thread :D

zoobie
01-30-2003, 03:28 AM
You can also be sued for contributing to ruining someone's credit rating should the worst happen. :eek:

Philip M
01-30-2003, 07:55 AM
Originally posted by zoobie
You can also be sued for contributing to ruining someone's credit rating should the worst happen. :eek:

In America, land of loony-toons litigation, very likely. Luckily I am in the UK! The possibility is as unreal and far-fetched as, well, never mind!

Firepages - thank you for your excellent and lucid summary.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum