Perry E. Metzger writes:
> It is my prediction that we will, in the next five years, get the
> failure of a couple of international financial institutions because of
> insufficient attention to systems security,
You're being too conservative. I point you to Citibank's loss, last
month, of unen
Adam Shostack wrote:
So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement, and
On Thursday 02 June 2005 11:33, Birger Tödtmann wrote:
> Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G:
> [...]
>
> > For an example of the latter, look at Netcraft. This is
> > quite serious - they are putting out a tool that totally
> > bypasses PKI/SSL in securing browsing. Is it inse
Ahh-oops! That particular reply was scrappily written
late at night and wasn't meant to be sent! Apologies
belatedly, I'd since actually come to the conclusion
that Steve's statement was strictly correct, in that
we won't ever *see* sniffing because SSL is in place,
whereas I interpreted this inc
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
|
| Ian G <[EMAIL PROTECTED]> writes:
| >> Perhaps you are unaware of it because no one has chosen to make you
| >> aware of it. However, sniffing is used quite frequently in cases where
| >> information is not properly protected. I
Ian G wrote:
But don't get me wrong - I am not saying that we should
carry out a world wide pogrom on SSL/PKI. What I am
saying is that once we accept that listening right now
is not an issue - not a threat that is being actively
dedended against - this allows us the wiggle room to
deploy that
On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Ian G writes:
> >On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> >> In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
> >> >--
> >> >PKI was designed to defeat man in the middle attacks
>
On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote:
> Ian G <[EMAIL PROTECTED]> writes:
Just on the narrow issue of data - I hope I've
addressed the other substantial points in the
other posts.
> > The only way we can overcome this issue is data.
>
> You aren't going to get it. The companies th
Hi Birger,
Nice debate!
On Wednesday 01 June 2005 13:52, Birger Tödtmann wrote:
> Am Mittwoch, den 01.06.2005, 12:16 +0100 schrieb Ian G:
> [...]
>
> > The point is this: you *could*
> > turn off SSL and it wouldn't make much difference
> > to actual security in the short term at least, and may
Daniel Carosone <[EMAIL PROTECTED]> writes:
> On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
>> > So we need to see a "Choicepoint" for listening and sniffing and so
>> > forth.
>>
>> No, we really don't.
>
> Perhaps we do - not so much as a source of hard statistical data, but
On Wednesday 01 June 2005 10:35, Birger Tödtmann wrote:
> Am Dienstag, den 31.05.2005, 18:31 +0100 schrieb Ian G:
> [...]
>
> > As an alternate hypothesis, credit cards are not
> > sniffed and never will be sniffed simply because
> > that is not economic. If you can hack a database
> > and lift 10
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
> > So we need to see a "Choicepoint" for listening and sniffing and so
> > forth.
>
> No, we really don't.
Perhaps we do - not so much as a source of hard statistical data, but
as a source of hard pain.
People making (uninformed
Ian G <[EMAIL PROTECTED]> writes:
>> Perhaps you are unaware of it because no one has chosen to make you
>> aware of it. However, sniffing is used quite frequently in cases where
>> information is not properly protected. I've personally dealt with
>> several such situations.
>
> This leads to a bi
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote:
> Ian G <[EMAIL PROTECTED]> writes:
> > On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> >> The next part of this is circular reasoning. We don't see network
> >> sniffing for credit card numbers *because* we have SSL.
> >
> > I think
Steven M. Bellovin wrote:
Given the prevalance of password sniffers as early as 1993, and given
that credit card number sniffing is technically easier -- credit card
numbers will tend to be in a single packet, and comprise a
self-checking string, I stand by my statement.
the major exploits ha
Ian G <[EMAIL PROTECTED]> writes:
> On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
>> The next part of this is circular reasoning. We don't see network
>> sniffing for credit card numbers *because* we have SSL.
>
> I think you meant to write that James' reasoning is
> circular, but stran
In message <[EMAIL PROTECTED]>, Ian G writes:
>On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
>> In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
>> >--
>> >PKI was designed to defeat man in the middle attacks
>> >based on network sniffing, or DNS hijacking, which
>> >turned o
17 matches
Mail list logo