Using crypto against Phishing, Spoofing and Spamming...
Steven M. Bellovin
smb at research.att.com
Mon Jul 19 15:54:21 EDT 2004
In message <40FA611F.8030403 at systemics.com>, Ian Grigg writes:
>>
>> Don't be silly. It's not a threat because people generally use
>> SSL. Back in the old days, password capture was a very serious
>> threat. It went away with SSH. It seems to me quite likely that
>> it would be a problem with web browsing in the absence of SSL.
>
>
>Right... It's easy to claim that "it went away"
>because we protected against it. Unfortunately,
>that's just a claim - there is no evidence of
>that.
>
>This is why I ask whether there has been any
>evidence of MITMs, and listening attacks. We
>know for example that there were password
>sniffing attacks back in the old days, by
>hackers. Hence SSH. Costs -> Solution.
>
>But, there is precious little to suggest that
>credit cards would be sniffed - I've heard one
>isolated and unconfirmable case. And, there is
>similar levels of MITM evidence - anecdotes and
>some experiences in other fields, as reported
>here on this list.
>
I think that Eric is 100% correct here: it doesn't happen because it's
a low-probability attack, because most sites do use SSL.
I think that people are forgetting just how serious the password
capture attacks were in 1993-94. The eavesdropping machines were on
backbones of major ISPs; a *lot* of passwords were captured.
Furthermore, the technology has improved -- have you looked at dsniff
lately, with the ARP-based active attack capability? And credit cards
are much easier to grab -- they're probably sent in one packet, instead
of several, and the number is a self-checking string of digits.
It's also worth remembering that an SSL-like solution -- cryptographically
protecting the transmission of credit card number, instead of digitally
signing a funds transfer authorization linked to some account -- was
more or less the only thing possible at the time. The Internet as a
medium of commerce was too new for the banks to have developed
something SET-like, and there wasn't an overwhelmingly-dominant client
platform at the time for which custom software could be developed.
(Remember that Windows 95 was the first version with an integral TCP/IP
stack.) *All* that Netscape could deploy was something that lived in
just the browser and Web server. SET itself failed because the
incentives were never there -- consumers didn't perceive any benefit to
installing funky software, and merchants weren't given much incentive
to encourage it.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list