"SSL stops credit card sniffing" is a correlation/causality myth

Ian G iang at systemics.com
Wed Jun 1 10:59:30 PDT 2005 

Ahh-oops!  That particular reply was scrappily written
late at night and wasn't meant to be sent!  Apologies
belatedly, I'd since actually come to the conclusion
that Steve's statement was strictly correct, in that
we won't ever *see* sniffing because SSL is in place,
whereas I interpreted this incorrectly perhaps as
SSL *stopped* sniffing.  Subtle distinctions can
sometimes matter.

So please ignore the previous email, unless a cruel
and unusual punishment is demanded...

iang


On Wednesday 01 June 2005 16:24, Ian G wrote:
> On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote:
> > In message <200505311831.15142.iang at systemics.com>, Ian G writes:
> > >On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> > >> In message <427CCA9B.29132.760A1FC at localhost>, "James A. Donald" 
writes:
> > >> >    --
> > >> >PKI was designed to defeat man in the middle attacks
> > >> >based on network sniffing, or DNS hijacking, which
> > >> >turned out to be less of a threat than expected.
> > >>
> > >> First, you mean "the Web PKI", not PKI in general.
> > >>
> > >> The next part of this is circular reasoning.  We don't see network
> > >> sniffing for credit card numbers *because* we have SSL.
> > >
> > >I think you meant to write that James' reasoning is
> > >circular, but strangely, your reasoning is at least as
> > >unfounded - correlation not causality.  And I think
> > >the evidence is pretty much against any causality,
> > >although this will be something that is hard to show,
> > >in the absence.
> >
> > Given the prevalance of password sniffers as early as 1993, and given
> > that credit card number sniffing is technically easier -- credit card
> > numbers will tend to be in a single packet, and comprise a
> > self-checking string, I stand by my statement.
>
> Well, I'm not arguing it is technically hard.  It's just
> un-economic.  In the same sense that it is not technically
> difficult for us to get in a car and go run someone
> over;  but we still don't do it.  And we don't ban the
> roads nor insist on our butlers walking with a red
> flag in front of the car, either.  Well, not any more.
>
> So I stand by my statement - correlation is not causality.
>
> > > * AFAICS, a non-trivial proportion of credit
> > >card traffic occurs over totally unprotected
> > >traffic, and that has never been sniffed as far as
> > >anyone has ever reported.  (By this I mean lots of
> > >small merchants with MOTO accounts that don't
> > >bother to set up "proper" SSL servers.)
> >
> > Given what a small percentage of ecommerce goes to those sites, I don't
> > think it's really noticeable.
>
> Exactly my point.  Sniffing isn't noticeable.  Neither
> in the cases we know it could happen, nor in the
> areas.  The one place where it has been noticed is
> with passwords and what we know from that experience
> is that even the slightest security works to overcome
> that threat.  SSH is overkill, compared to the passwords
> mailouts that successfully protect online password sites.
>
> > > * We know that from our experiences
> > >of the wireless 802.11 crypto - even though we've
> > >got repeated breaks and the FBI even demonstrating
> > >how to break it, and the majority of people don't even
> > >bother to turn on the crypto, there remains practically
> > >zero evidence that anyone is listening.
> > >
> > >  FBI tells you how to do it:
> > >  https://www.financialcryptography.com/mt/archives/000476.
> >
> > Sure -- but setting up WEP is a nuisance.  SSL (mostly) just works.
>
> SSH just works - and it worked directly against the
> threat you listed above (password sniffing).  But it
> has no "PKI" to speak of, and this discussion is about
> whether PKI protects people, because it is PKI that is
> supposed to protect against spoofing - a.k.a. phishing.
>
> And it is PKI that makes SSL "just doesn't set up."
> Anyone who's ever had to set up an Apache web
> server for SSL has to have asked themselves the
> question ... "why doesn't this just work" ?
>
> > As
> > for your assertion that no one is listening, I'm not sure what kind of
> > evidence you'd seek.  There's plenty of evidence that people abuse
> > unprotected access points to gain connectivity.
>
> Simply, evidence that people are listening.  Sniffing
> by means of the wire.
>
> Evidence that people abuse to gain unprotected
> access is nothing to do with sniffing traffic to steal
> information.  That's theft of access, which is a fairly
> minor issue, especially as it doesn't have any
> economic damages worth speaking of.  In fact,
> many cases seem to be more accidental access
> where neighbours end up using each other's access
> points because the software doesn't know where the
> property lines are.
>
> > >> Since many of
> > >> the worm-spread pieces of spyware incorporate sniffers, I'd say that
> > >> part of the threat model is correct.
> > >
> > >But this is totally incorrect!  The spyware installs on the
> > >users' machines, and thus does not need to sniff the
> > >wire.  The assumption of SSL is (as written up in Eric's
> > >fine book) that the wire is insecure and the node is
> > >secure, and if the node is insecure then we are sunk.
> >
> > I meant precisely what I said and I stand by my statement.  I'm quite
> > well aware of the difference between network sniffers and keystroke
> > loggers.
>
> OK, so maybe I am incorrectly reading this - are you
> saying that spyware is being delivered that incorporates
> wire sniffers?  Sniffers that listen to the ethernet traffic?
>
> If that's the case, that is the first I've heard of it.  What
> is it that these sniffers are listening for?
>
> > >  Eric's book and "1.2 The Internet Threat Model"
> > >  http://iang.org/ssl/rescorla_1.html
> > >
> > >Presence of keyboard sniffing does not give us any
> > >evidence at all towards wire sniffing and only serves
> > >to further embarrass the SSL threat model.
> > >
> > >> As for DNS hijacking -- that's what's behind "pharming" attacks.  In
> > >> other words, it's a real threat, too.
> > >
> > >Yes, that's being tried now too.  This is I suspect the
> > >one area where the SSL model correctly predicted
> > >a minor threat.  But from what I can tell, server-based
> > >DNS hijacking isn't that successful for the obvious
> > >reasons (attacking the ISP to get to the user is a
> > >higher risk strategy than makes sense in phishing).
> >
> > They're using cache contamination attacks, among other things.
> >
> > ...
> >
> > >As perhaps further evidence of the black mark against
> > >so-called secure browsing, phishers still have not
> > >bothered to acquire control-of-domain certs for $30
> > >and use them to spoof websites over SSL.
> > >
> > >Now, that's either evidence that $30 is too much to
> > >pay, or that users just ignore the certs and padlocks
> > >so it is no big deal anyway.  Either way, a model
> > >that is bypassed so disparagingly without even a
> > >direct attack on the PKI is not exactly recommending
> > >itself.
> >
> > I agre completely that virtually no one checks certificates (or even
> > knows what they are).
> >
> >
> > 		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list