Re: [tlug] cacert question

[Raymond Wan <rwan.kyoto@example.com>]

Hi Kalin,


On 24/02/11 03:22, Kalin KOZHUHAROV wrote:
> Technically they could, but they have not as of now.
> See Requirement 4 about securing data in transit. As long as https is used,
> it is technically fine to use self-signed cert, or any strong certificate
>   (i.e. not using compromised/low-grade crypto-algorithms).
>
> That is by the standard. When I do assess a system, I go one step further
> and look into how certificates are obtained, stored, installed, etc.
> Sometimes a client will demonstrate very well organized CA practices within
> their organization, so in a way a "self-signed" cert (=signed by the CA of the
> client that is root-CA) does make sense.


I see -- in other words, it's not just about have the best 
lock that money can buy; it's also about whether or not you 
put the key to the lock under the "Welcome" mat in front of 
the door...  :-)


> I haven't heard of a case (that doesn't mean there aren't any) where a
> certificate was really compromised because of bad RCA and as a result
> cardholder data leaked. All the phisinig schemes may involve certificates,
> but usually don't. When they do it, you only see a "funny" window in your
> browser asking to install and trust a new CA (at least the older browsers).
> You click OK and you are phished. Newer browsers add a bit more fanfare
> but don't be sure that granma will be bothered too much...


Opps...  :-)  I've clicked OK sometimes, too, but never for 
use with a credit card.  Usually to do something that (I 
think) is harmless like reading forums or some other text. 
Always makes me wonder why they went to the trouble of 
getting a certificate that isn't authorized or is no longer 
valid for something that seems harmless.


> > Sometimes I find it odd that the security necessary for a web-based
> > transaction is higher than the 4 digits for our bank PIN.
> It is not. The PIN you use comes together with the card, so it is already
> a two-factor authentication. (And NO, you should NEVER enter your PIN
> on a PC keyboard). Plus it is used over a secured channel when you use
> it at the ATM. Plus there is physical security of the ATM and often cameras
> (for auditing).


Yes, I guess I was simplifying things significantly.

And I'm sure someone has done some study that said if the 
PIN was longer, then we would less likely be able to 
remember it and then be "forced" to write it on the back of 
our bank card.

A while back, I saw a TV show that said the reason US 
telephone numbers (this was a US TV show) had 7 digits was 
someone did a study and figured out that was the limit of 
people's memory.  Can't remember where I saw it and how 
credible the whole news segment was.


> If you still have that receipt with all but the last 4 digits, I'll be
> happy to give
> this merchant a call and explain them (or their upstream provider) about
> PCI DSS requirement 3.3 for masking (leaving at most the first 6 and
> last 4 digits)


No, I don't have it anymore; but I will keep this in mind in 
case it happens again.  I don't remember which merchant it was.


> I hope that this late (i.e. early) hour is not very obvious in the
> clarity of my answers, LoL!


Amazingly coherent for 3 am in the morning...  :-)  Thank you!

Ray