At 02:13 PM 3/25/2002 -0600, you wrote: > There's a very nice paper by Ross Anderson called "Why Cryptosystems >fail" available at http://citeseer.nj.nec.com/9195.html - it's a crappy >PDF file on the site ... I have a high quality original if anyone's >interested. > > The basic message is that trusting in technology does not give you >security - SSL and PIN can all be bypassed with ease if you have the >time or the desire ... there was a nice article on cryptome.org a while >back about this.
I'm no crypto guru, but I have read my fair share of articles about this very thing. The most interesting attack I've read about is to just install a keyboard sniffer on a PC. It wouldn't be difficult, and you totally bypass the encryption. Code Red Sniffer.. Sendmail Sniffer.. Now, you may consider a keyboard sniffer to be ineffective if you want to gather a large number of passwords from various sources, but password entry has special characteristics. For example, echo is usually turned off during password entry, which would be a good alert to a key-sniffing program that someone was entering their password. On a related note, there is a paper that came from a recent USENIX security symposium about using this very technique in timing attacks against SSH. In that paper, which wasn't about key-sniffing but about timing attacks, the attacker would make estimates about the time it took to hit each key. And because the attacker could watch each keystroke go across the wire, even if it was encrypted, he could then make an educated guess about your password. For example, it will take most people longer to type "a_" than "fj". Regards, Dustin >-- >Edmund Cramp >http://www.emgsrus.com/graffiti.htm > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Behalf Of John Hebert > > Sent: Monday, March 25, 2002 1:46 PM > > To: [EMAIL PROTECTED] > > Subject: SSL and security was Re: [brluglist] Yahoo E-Mail - Beware: > > Non-Linux Related > > > > > > Well, there's a big ole can of worms you are opening. > > :) > > > > There are a number of security factors to consider > > beyond SSL and pin numbers (authentication, > > authorization, network security, etc, ad > > infinitum,...), but for the sake of this discussion, > > let's just consider SSL with a PIN. > > > > IMHO, for your needs, SSL (Secure Socket Layer) is > > secure. I assume that Yahoo can support 128-bit SSL > > encryption, so make sure your browser(s) use this. > > Most new browsers do. If you want to know more about > > SSL: http://www.openssl.org. Anybody know how long it > > would take to decrypt 128-bit SSL? > > > > Now the PIN is another story. Treat the PIN just like > > a password, which is basically what it is. I assume > > that Yahoo keeps these PINs encrypted and secure in > > their databases, but, who knows for sure? > > > > Also, make sure you have a good SSL connection > > (https://...) with the little "gold key" icon whenever > > you transmit secure data from your browser. > > > > John Hebert > > > > --- Kory Wnuk <[EMAIL PROTECTED]> wrote: > > > As I am sure that many of you are aware, Yahoo is > > > attempting to have users of the Yahoo mail system > > > pay > > > for POP access and mail forwarding. This is not an > > > overly big deal to me personally. However, to pay > > > for > > > this service one is required to have a Yahoo > > > "Wallet" > > > account. This will allow all of my credit card > > > numbers to be stored in one location for easy > > > access. > > > This is supposedly secure (SSL). This combined with > > > a > > > PIN is supposed to make me feel comfortable. Does > > > anyone have any information regarding what level of > > > security might be expected from a system such as the > > > one I have briefly described? Thanks. > > > > > > -K > > > > > > ===== > > > Contrary to what you may believe, I don't do > > > Windows! > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Movies - coverage of the 74th Academy Awards® > > > http://movies.yahoo.com/ > > > ================================================ > > > BRLUG - The Baton Rouge Linux User Group > > > Visit http://www.brlug.net for more information. > > > Send email to [EMAIL PROTECTED] to change > > > your subscription information. > > > ================================================ > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Movies - coverage of the 74th Academy Awards® > > http://movies.yahoo.com/ > > ================================================ > > BRLUG - The Baton Rouge Linux User Group > > Visit http://www.brlug.net for more information. > > Send email to [EMAIL PROTECTED] to change > > your subscription information. > > ================================================ > > > > >================================================ >BRLUG - The Baton Rouge Linux User Group >Visit http://www.brlug.net for more information. >Send email to [EMAIL PROTECTED] to change >your subscription information. >================================================ --- Dustin Puryear <[EMAIL PROTECTED]> Information Systems Contractor http://members.telocity.com/~dpuryear PGP Key available at http://www.us.pgp.net In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
