"SSL stops credit card sniffing" is a correlation/causality myth

Anne & Lynn Wheeler lynn at garlic.com
Tue May 31 13:05:51 PDT 2005

Steven M. Bellovin wrote:
> Given the prevalance of password sniffers as early as 1993, and given 
> that credit card number sniffing is technically easier -- credit card 
> numbers will tend to be in a single packet, and comprise a 
> self-checking string, I stand by my statement.

the major exploits have involved data-at-rest ... not data-in-flight. 
internet credit card sniffing can be easier than password sniffing .... 
but that doesn't mean that the fraud cost/benefit ratio is better than 
harvesting large transaction database files. you could possibly 
conjecture password sniffing enabling compromise/exploits of 
data-at-rest ... quick in&out and may have months worth of transaction 
information all nicely organized.

to large extent SSL was used to show that internet/e-commerce wouldn't 
result in the theoritical sniffing making things worse (as opposed to 
addressing the major fraud vulnerability & treat).

internet/e-commerce did increase the threats & vulnerabilities to the 
transaction database files (data-at-rest) ... which is were the major 
threat has been. There has been a proliferation of internet merchants 
with electronic transaction database files ... where there may be 
various kinds of internet access to the databases. Even when the 
prevalent risk to these files has been from insiders ... the possibility 
of outsider compromise can still obfuscate tracking down who is actually 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list