Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Tom Weinstein
Ian G wrote: But don't get me wrong - I am not saying that we should carry out a world wide pogrom on SSL/PKI. What I am saying is that once we accept that listening right now is not an issue - not a threat that is being actively dedended against - this allows us the wiggle room to deploy that

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Adam Shostack
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote: | | Ian G [EMAIL PROTECTED] writes: | Perhaps you are unaware of it because no one has chosen to make you | aware of it. However, sniffing is used quite frequently in cases where | information is not properly protected. I've

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
Ahh-oops! That particular reply was scrappily written late at night and wasn't meant to be sent! Apologies belatedly, I'd since actually come to the conclusion that Steve's statement was strictly correct, in that we won't ever *see* sniffing because SSL is in place, whereas I interpreted this

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
On Thursday 02 June 2005 11:33, Birger Tödtmann wrote: Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G: [...] For an example of the latter, look at Netcraft. This is quite serious - they are putting out a tool that totally bypasses PKI/SSL in securing browsing. Is it insecure?

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Anne Lynn Wheeler
Adam Shostack wrote: So, that may be the case when you're dealing with an SSL accelerator, but there are lots of other cases, say, implementing daabase security rules, or ensuring that non-transactional lookups are logged, which are harder to argue for, take more time and energy to implement,

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Daniel Carosone
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote: So we need to see a Choicepoint for listening and sniffing and so forth. No, we really don't. Perhaps we do - not so much as a source of hard statistical data, but as a source of hard pain. People making (uninformed or

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Perry E. Metzger
Daniel Carosone [EMAIL PROTECTED] writes: On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote: So we need to see a Choicepoint for listening and sniffing and so forth. No, we really don't. Perhaps we do - not so much as a source of hard statistical data, but as a source of

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Wednesday 01 June 2005 10:35, Birger Tödtmann wrote: Am Dienstag, den 31.05.2005, 18:31 +0100 schrieb Ian G: [...] As an alternate hypothesis, credit cards are not sniffed and never will be sniffed simply because that is not economic. If you can hack a database and lift 10,000++

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote: Ian G [EMAIL PROTECTED] writes: Just on the narrow issue of data - I hope I've addressed the other substantial points in the other posts. The only way we can overcome this issue is data. You aren't going to get it. The companies that get

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
Hi Birger, Nice debate! On Wednesday 01 June 2005 13:52, Birger Tödtmann wrote: Am Mittwoch, den 01.06.2005, 12:16 +0100 schrieb Ian G: [...] The point is this: you *could* turn off SSL and it wouldn't make much difference to actual security in the short term at least, and maybe not

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Ian G writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], James A. Donald writes: -- PKI was designed to defeat man in the middle attacks based on network

SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Ian G
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], James A. Donald writes: -- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected. First, you mean the

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ian G writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], James A. Donald writes: -- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Perry E. Metzger
Ian G [EMAIL PROTECTED] writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: The next part of this is circular reasoning. We don't see network sniffing for credit card numbers *because* we have SSL. I think you meant to write that James' reasoning is circular, but strangely,

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Anne Lynn Wheeler
Steven M. Bellovin wrote: Given the prevalance of password sniffers as early as 1993, and given that credit card number sniffing is technically easier -- credit card numbers will tend to be in a single packet, and comprise a self-checking string, I stand by my statement. the major exploits

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Ian G
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote: Ian G [EMAIL PROTECTED] writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: The next part of this is circular reasoning. We don't see network sniffing for credit card numbers *because* we have SSL. I think you meant to

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Perry E. Metzger
Ian G [EMAIL PROTECTED] writes: Perhaps you are unaware of it because no one has chosen to make you aware of it. However, sniffing is used quite frequently in cases where information is not properly protected. I've personally dealt with several such situations. This leads to a big issue.