"SSL stops credit card sniffing" is a correlation/causality myth
Anne & Lynn Wheeler
lynn at garlic.com
Tue May 31 16:05:51 EDT 2005
Steven M. Bellovin wrote:
> Given the prevalance of password sniffers as early as 1993, and given
> that credit card number sniffing is technically easier -- credit card
> numbers will tend to be in a single packet, and comprise a
> self-checking string, I stand by my statement.
the major exploits have involved data-at-rest ... not data-in-flight.
internet credit card sniffing can be easier than password sniffing ....
but that doesn't mean that the fraud cost/benefit ratio is better than
harvesting large transaction database files. you could possibly
conjecture password sniffing enabling compromise/exploits of
data-at-rest ... quick in&out and may have months worth of transaction
information all nicely organized.
to large extent SSL was used to show that internet/e-commerce wouldn't
result in the theoritical sniffing making things worse (as opposed to
addressing the major fraud vulnerability & treat).
internet/e-commerce did increase the threats & vulnerabilities to the
transaction database files (data-at-rest) ... which is were the major
threat has been. There has been a proliferation of internet merchants
with electronic transaction database files ... where there may be
various kinds of internet access to the databases. Even when the
prevalent risk to these files has been from insiders ... the possibility
of outsider compromise can still obfuscate tracking down who is actually
responsible.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list