In message <200505311831.15142.iang@systemics.com>, Ian G writes:
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
In message <427CCA9B.29132.760A1FC@localhost>, "James A. Donald" writes:
-- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected.
First, you mean "the Web PKI", not PKI in general.
The next part of this is circular reasoning. We don't see network sniffing for credit card numbers *because* we have SSL.
I think you meant to write that James' reasoning is circular, but strangely, your reasoning is at least as unfounded - correlation not causality. And I think the evidence is pretty much against any causality, although this will be something that is hard to show, in the absence.
Given the prevalance of password sniffers as early as 1993, and given that credit card number sniffing is technically easier -- credit card numbers will tend to be in a single packet, and comprise a self-checking string, I stand by my statement.
* AFAICS, a non-trivial proportion of credit card traffic occurs over totally unprotected traffic, and that has never been sniffed as far as anyone has ever reported. (By this I mean lots of small merchants with MOTO accounts that don't bother to set up "proper" SSL servers.)
Given what a small percentage of ecommerce goes to those sites, I don't think it's really noticeable.
* We know that from our experiences of the wireless 802.11 crypto - even though we've got repeated breaks and the FBI even demonstrating how to break it, and the majority of people don't even bother to turn on the crypto, there remains practically zero evidence that anyone is listening.
FBI tells you how to do it: https://www.financialcryptography.com/mt/archives/000476.
Sure -- but setting up WEP is a nuisance. SSL (mostly) just works. As for your assertion that no one is listening, I'm not sure what kind of evidence you'd seek. There's plenty of evidence that people abuse unprotected access points to gain connectivity.
As an alternate hypothesis, credit cards are not sniffed and never will be sniffed simply because that is not economic. If you can hack a database and lift 10,000++ credit card numbers, or simply buy the info from some insider, why would an attacker ever bother to try and sniff the wire to pick up one credit card number at a time?
Sure -- that's certainly the easy way to do it.
And if they did, why would we care? Better to let a stupid thief find a way to remove himself from a life of crime than to channel him into a really dangerous and expensive crime like phishing, box cracking, and purchasing identity info from insiders.
Since many of the worm-spread pieces of spyware incorporate sniffers, I'd say that part of the threat model is correct.
But this is totally incorrect! The spyware installs on the users' machines, and thus does not need to sniff the wire. The assumption of SSL is (as written up in Eric's fine book) that the wire is insecure and the node is secure, and if the node is insecure then we are sunk.
I meant precisely what I said and I stand by my statement. I'm quite well aware of the difference between network sniffers and keystroke loggers.
Eric's book and "1.2 The Internet Threat Model" http://iang.org/ssl/rescorla_1.html
Presence of keyboard sniffing does not give us any evidence at all towards wire sniffing and only serves to further embarrass the SSL threat model.
As for DNS hijacking -- that's what's behind "pharming" attacks. In other words, it's a real threat, too.
Yes, that's being tried now too. This is I suspect the one area where the SSL model correctly predicted a minor threat. But from what I can tell, server-based DNS hijacking isn't that successful for the obvious reasons (attacking the ISP to get to the user is a higher risk strategy than makes sense in phishing).
They're using cache contamination attacks, among other things. ...
As perhaps further evidence of the black mark against so-called secure browsing, phishers still have not bothered to acquire control-of-domain certs for $30 and use them to spoof websites over SSL.
Now, that's either evidence that $30 is too much to pay, or that users just ignore the certs and padlocks so it is no big deal anyway. Either way, a model that is bypassed so disparagingly without even a direct attack on the PKI is not exactly recommending itself.
I agre completely that virtually no one checks certificates (or even knows what they are). --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com