Debate

摘要

Playing the odds straight, online providers who self-insure against fraudulent transactions must now act as if all client initiated connections come from compromised hosts, full stop. For those who don't self-insure, the facts are the same: the odds of compromise are such that your question should be whether your customer accounts have anything worth stealing, not whether it is possible to do so. This presents a Hobbesian choice to be sure, but the alternative to internet crime is no longer more network security, nor is it more authentication/authorization. Rather, the answer is to insulate and isolate your client-side code, whatever yours is, from the client-side operating system.