"SSL stops credit card sniffing" is a correlation/causality myth

Ian G iang at systemics.com
Tue May 31 10:31:04 PDT 2005 

On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> In message <427CCA9B.29132.760A1FC at localhost>, "James A. Donald" writes:
> >    --
> >PKI was designed to defeat man in the middle attacks
> >based on network sniffing, or DNS hijacking, which
> >turned out to be less of a threat than expected.
>
> First, you mean "the Web PKI", not PKI in general.
>
> The next part of this is circular reasoning.  We don't see network
> sniffing for credit card numbers *because* we have SSL.

I think you meant to write that James' reasoning is
circular, but strangely, your reasoning is at least as
unfounded - correlation not causality.  And I think
the evidence is pretty much against any causality,
although this will be something that is hard to show,
in the absence.

 * AFAICS, a non-trivial proportion of credit
card traffic occurs over totally unprotected
traffic, and that has never been sniffed as far as
anyone has ever reported.  (By this I mean lots of
small merchants with MOTO accounts that don't
bother to set up "proper" SSL servers.)

 * We know that from our experiences
of the wireless 802.11 crypto - even though we've
got repeated breaks and the FBI even demonstrating
how to break it, and the majority of people don't even
bother to turn on the crypto, there remains practically
zero evidence that anyone is listening.

  FBI tells you how to do it:
  https://www.financialcryptography.com/mt/archives/000476.html

As an alternate hypothesis, credit cards are not
sniffed and never will be sniffed simply because
that is not economic.  If you can hack a database
and lift 10,000++ credit card numbers, or simply
buy the info from some insider, why would an
attacker ever bother to try and sniff the wire to
pick up one credit card number at a time?

And if they did, why would we care?  Better to
let a stupid thief find a way to remove himself from
a life of crime than to channel him into a really
dangerous and expensive crime like phishing,
box cracking, and purchasing identity info from
insiders.

> Since many of 
> the worm-spread pieces of spyware incorporate sniffers, I'd say that
> part of the threat model is correct.

But this is totally incorrect!  The spyware installs on the
users' machines, and thus does not need to sniff the
wire.  The assumption of SSL is (as written up in Eric's
fine book) that the wire is insecure and the node is
secure, and if the node is insecure then we are sunk.

  Eric's book and "1.2 The Internet Threat Model"
  http://iang.org/ssl/rescorla_1.html

Presence of keyboard sniffing does not give us any
evidence at all towards wire sniffing and only serves
to further embarrass the SSL threat model.

> As for DNS hijacking -- that's what's behind "pharming" attacks.  In
> other words, it's a real threat, too.

Yes, that's being tried now too.  This is I suspect the
one area where the SSL model correctly predicted
a minor threat.  But from what I can tell, server-based
DNS hijacking isn't that successful for the obvious
reasons (attacking the ISP to get to the user is a
higher risk strategy than makes sense in phishing).

User node-based hijacking might be more successful.
Again, that's on the node, so it can totally bypass any
PKI based protections anyway.

I say "minor threat" because you have to look at the big
picture:  attackers have figured out a way to breach the
secure browsing model so well and so economically
that they now have lots and lots of investment money,
and are gradually working their way through the various
lesser ways of attacking secure browsing.

As perhaps further evidence of the black mark against
so-called secure browsing, phishers still have not
bothered to acquire control-of-domain certs for $30
and use them to spoof websites over SSL.

Now, that's either evidence that $30 is too much to
pay, or that users just ignore the certs and padlocks
so it is no big deal anyway.  Either way, a model
that is bypassed so disparagingly without even a
direct attack on the PKI is not exactly recommending
itself.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list