Using crypto against Phishing, Spoofing and Spamming...

Steven M. Bellovin smb at research.att.com
Mon Jul 19 15:54:21 EDT 2004 

In message <40FA611F.8030403 at systemics.com>, Ian Grigg writes:

>> 
>> Don't be silly. It's not a threat because people generally use
>> SSL. Back in the old days, password capture was a very serious
>> threat. It went away with SSH. It seems to me quite likely that
>> it would be a problem with web browsing in the absence of SSL.
>
>
>Right...  It's easy to claim that "it went away"
>because we protected against it.  Unfortunately,
>that's just a claim - there is no evidence of
>that.
>
>This is why I ask whether there has been any
>evidence of MITMs, and listening attacks.  We
>know for example that there were password
>sniffing attacks back in the old days, by
>hackers.  Hence SSH.  Costs -> Solution.
>
>But, there is precious little to suggest that
>credit cards would be sniffed - I've heard one
>isolated and unconfirmable case.  And, there is
>similar levels of MITM evidence - anecdotes and
>some experiences in other fields, as reported
>here on this list.
>

I think that Eric is 100% correct here: it doesn't happen because it's 
a low-probability attack, because most sites do use SSL.

I think that people are forgetting just how serious the password 
capture attacks were in 1993-94.  The eavesdropping machines were on 
backbones of major ISPs; a *lot* of passwords were captured.  
Furthermore, the technology has improved -- have you looked at dsniff 
lately, with the ARP-based active attack capability?  And credit cards 
are much easier to grab -- they're probably sent in one packet, instead 
of several, and the number is a self-checking string of digits.

It's also worth remembering that an SSL-like solution -- cryptographically 
protecting the transmission of credit card number, instead of digitally 
signing a funds transfer authorization linked to some account -- was 
more or less the only thing possible at the time.  The Internet as a 
medium of commerce was too new for the banks to have developed 
something SET-like, and there wasn't an overwhelmingly-dominant client 
platform at the time for which custom software could be developed.  
(Remember that Windows 95 was the first version with an integral TCP/IP 
stack.)  *All* that Netscape could deploy was something that lived in 
just the browser and Web server.  SET itself failed because the 
incentives were never there -- consumers didn't perceive any benefit to 
installing funky software, and merchants weren't given much incentive 
to encourage it.

		--Steve Bellovin, http://www.research.att.com/~smb


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list