In your article you state:
"The problem is, (SSL Deployments) AREN’T secure. This is a fundamental problem with how PKI is deployed by the industry. And it’s something the PKI vendors such as VeriSign, Entrust, and others don’t want to discuss publicly, since it’s their profit that may be at stake. "

And yet on Entrust's PUBLIC website there is this item in one of their FAQs:

"5. Isn't Secure Sockets Layer (SSL) an accepted industry standard, and doesn't it sufficiently protect information submitted to a website? (top)
SSL is a perfectly good, and widely used standard for identifying websites, and protecting information as it moves between the Web browser and Web server. But that is all it does. Other solutions are required to augment SSL and provide stronger user identification and privacy of information as it moves beyond the Web server. There are well-documented cases where SSL has been used to secure applications that accept credit card transactions, only to have the credit card numbers sit in human readable form on the Web server where hackers have easy access to them. Instead of attacking the transmission of the data, they simply attack where the data is stored."
- http://www.entrust.com/security101/faqs.htm

Did you do any research? Do you have any conscience? How can you spout such lies and sleep at night?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/60/10676#10676