security
Dick Hardt
dick at sxip.com
Mon Oct 23 01:07:57 UTC 2006
On 22-Oct-06, at 5:05 PM, James A. Donald wrote:
> Dick Hardt wrote:
> > This is like saying that all websites should use SSL
> > and we should stop allowing HTTP because it is
> > insecure. Where would the web be if all sites had to
> > run SSL to start off with?
>
> Well for one thing we would not now have a massive
> phishing crisis.
Uh, pretty much all sites targeted by phishing are running SSL.
Note that few sites NOT running SSL are targeted by phishing, so SSL
only slows them down.
Summary: SSL has no minimal impact on phishing
>
> SSL was and is specified without adequate concern for
> efficiency, but the steady increase in the power of
> computers have made this less of a concern.
Hey, if you guys can convince the other editors to make SSL a
requirement for an IdP, I would be a +1.
I would be a -1 on making a requirement for an RP as there are many
sites that are doing non-sensitive transactions where OpenID removes
speed bumps, but nothing sensitive is being transmitted.
-- Dick
More information about the general
mailing list