Allun Jones, Security expert and MS MVP, wrote a 3-part discourse on security (or lack thereof) on the US Postal Service website. He shows the USPS web service for signing up to have your mail held if you are taking off for vacation and will not be home for a while. He shows us how this service teaches us some lessons in privacy and security.
Can't I trust the Postal Service? Part 1 - the crypto
(note that this page shows a problem with their security certificate, since fixed).
Alun's contention is how many people, when presented with a certificate warning would still click on it and go on. Lesson: if you cannot trust the site's security certificate, you should not continue to the web site.
Part 2 - the certificate, talks about inspecting the security certificate, something you should not do unless you are a security researcher and understand what's going on.
In Part 3 - the service Alun finally talks about the service they are providing. You are requesting your mail to be held. You should be required to provide some form of ID to certify that you in fact have the right to do it. You do this when you go to the Post Office in person, right? Why is this important? Try identity theft.
Good series Alun!
Wednesday, June 20, 2007
Trust and the USPS website
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment