Re: Public FTP Space (was looking for sites to host my crypto...)
At 04:56 AM 7/14/2004, J.A. Terranson wrote: Recently a list member requested public ftp/web space for the hosting of various crypto files. Also see: http://munitions.vipul.net/ For Linux-based crypto software only, AFAIK. Multi-homed, hosted outside the US. Udhay -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Using crypto against Phishing, Spoofing and Spamming...
SET failed due to the complexity of distributing the software and setting up the credentials. I think another reason was the go-fast atmosphere of the late 90s, where no one wanted to slow down the growth of ecommerce. The path of least resistance was simply to bring across the old way of authorizing transactions by card number. I think your other reason was in fact the primary reason. And, of course, the primary enablers of the go-fast approach were, in fact, the very same credit card companies. They made a conscious business decision to treat online transactions the same as conventional transactions -- I forget the details, but it was pretty risk-free for a merchant to do online credit cards, getting low surchage rates. That, coupled with the US law that limited consumer liability to $50, made CCard-over-SSL a no-brainer over SET. From a consumer viewpoint, CC/SSL is more secure then SET ever was. Since it wasn't a CCard transacdtion, my liability under SET was unlimited (at least until Congress caught up to the technology). Looking at the risk management aspect, SET was a big loser for the customer. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New Attack on Secure Browsing
Financial Cryptography Update: New Attack on Secure Browsing ) July 15, 2004 http://www.financialcryptography.com/mt/archives/000179.html Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Whoops! That padlock is in the wrong place, but who's going to notice? It looks pretty bona fide to me, and you know, for half the browsers I use, I often can't find the darn thing anyway. This is so good, I just had to add one to my SSL page (http://iang.org/ssl/ ). I feel so much safer now, and it's cheaper than the ones that those snake oil vendors sell :-) What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the little favicon. It all puts more pressure on the oh-so-long overdue project to bring the secure back into secure browsing. Microsoft have befuddled the already next-to-invisible security model even further with their favicon invention, and getting it back under control should really be a priority. Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome. [1] SSL considered harmful http://iang.org/ssl/ [2] Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Humorous anti-SSL PR
This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper [EMAIL PROTECTED] writes: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm What's wrong with a condom that protects the pipe? I've used condoms many times and they seemed to do quite a good job of protecting my pipe. -Ekr - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper wrote: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm I guess the intention was to provide more end-to-end security for transaction data. After a reasonable start, if a bit scattered, it breaks down with this: What we can be certain of is that it is not possible to have a man-in-the-middle attack with FormsAssurity encryption ensures that the form has really come from the claimed web site, the form has not been altered, and the only person that can read the information filled in on the form is the authorized site. Which is quite inconsistent - so much so that it seems that the press release writer got confused over which system he or she was talking about. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Humorous anti-SSL PR
This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm The article says The weaknesses of SSL implementations have been well known amongst security professionals, but their argument has been that SSL is the best tool currently on offer. The fact that it can be spoofed and is open to man in the middle attacks is played down. O.k., so if there is a vulnerability in a particular implementation there might be a possible MITM attack. Also possible to do MITM if user doesn't do proper verification. But I wouldn't say that SSL implementations in general are suspect to MITM attacks. Later in the article it is written: What we can be certain of is that it is not possible to have a man-in-the-middle attack with FormsAssurity - encryption ensures that the form has really come from the claimed web site, the form has not been altered, and the only person that can read the information filled in on the form is the authorized site. O.k., so how do they achieve such assurances? Eric's comment about condoms being effective is right, so bad analogy as well! --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper [EMAIL PROTECTED] wrote: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm To which Eric Rescorla replied: What's wrong with a condom that protects the pipe? I've used condoms many times and they seemed to do quite a good job of protecting my pipe. The humor just keeps on coming. It's always amusing to see an invocation of the principle that I've tried it on several occasions and it seemed to work, therefore it must be trustworthy. What's wrong with this depends, as usual, on the threat model. Sometimes it is wise to consider other parts of the system (not just the pipe) in the threat model. If we set you up on a blind date with an underfed grizzly, you might find that protecting your pipe with a condom doesn't solve all your problems. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
