[thelist] I can't believe what I just read....

[Warden, Matt]

> BTW, the IP
> trail is recorded, so even spoofing the http headers is not good enuff.

Mmmmm... proxy servers. There are several "anonymizer" proxy servers that
simply serve as a gateway and record nothing (for any real period of time).
Not to mention that those using dial-up connections get their IPs from a
connection pool. You would have to tack down the ISP, give them the time and
IP, and hope their records are good enough to give you the customer's info
(and that they are willing to divulge that info without a court order).

> >Your exposing you account login name - that's an
> >attack point.
> >If I know the payment system, then I can possibly use that account name
> >to hack to admin portions of their system and really screw things up.
>
> The login name without a valid password will get you nowhere. Dare to try?
> I think that VeriSign would be blowing a whistle in notime. Not that I
like
> the guys, they are getting too big. But as the security is concerned, they
> are as secure as you can get.

There are ways to be more secure... mainly by not involving the client in
the verification process. In other words, client to web server to
verification server back to the web server and back to the client with the
response. Here, we have the client directly interacting with the
verification server, which seems like just the easy way out.

--
mattwarden
mattwarden.com