[15803] in cryptography@c2.net mail archive
Re: Using crypto against Phishing, Spoofing and Spamming...
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jul 21 11:28:44 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@research.att.com>
To: Ian Grigg <iang@systemics.com>
Cc: EKR <ekr@rtfm.com>, Florian Weimer <fw@deneb.enyo.de>,
cryptography@metzdowd.com
In-Reply-To: Your message of "Sun, 18 Jul 2004 12:38:07 BST."
<40FA611F.8030403@systemics.com>
Date: Mon, 19 Jul 2004 15:54:21 -0400
In message <40FA611F.8030403@systemics.com>, Ian Grigg writes:
>>
>> Don't be silly. It's not a threat because people generally use
>> SSL. Back in the old days, password capture was a very serious
>> threat. It went away with SSH. It seems to me quite likely that
>> it would be a problem with web browsing in the absence of SSL.
>
>
>Right... It's easy to claim that "it went away"
>because we protected against it. Unfortunately,
>that's just a claim - there is no evidence of
>that.
>
>This is why I ask whether there has been any
>evidence of MITMs, and listening attacks. We
>know for example that there were password
>sniffing attacks back in the old days, by
>hackers. Hence SSH. Costs -> Solution.
>
>But, there is precious little to suggest that
>credit cards would be sniffed - I've heard one
>isolated and unconfirmable case. And, there is
>similar levels of MITM evidence - anecdotes and
>some experiences in other fields, as reported
>here on this list.
>
I think that Eric is 100% correct here: it doesn't happen because it's
a low-probability attack, because most sites do use SSL.
I think that people are forgetting just how serious the password
capture attacks were in 1993-94. The eavesdropping machines were on
backbones of major ISPs; a *lot* of passwords were captured.
Furthermore, the technology has improved -- have you looked at dsniff
lately, with the ARP-based active attack capability? And credit cards
are much easier to grab -- they're probably sent in one packet, instead
of several, and the number is a self-checking string of digits.
It's also worth remembering that an SSL-like solution -- cryptographically
protecting the transmission of credit card number, instead of digitally
signing a funds transfer authorization linked to some account -- was
more or less the only thing possible at the time. The Internet as a
medium of commerce was too new for the banks to have developed
something SET-like, and there wasn't an overwhelmingly-dominant client
platform at the time for which custom software could be developed.
(Remember that Windows 95 was the first version with an integral TCP/IP
stack.) *All* that Netscape could deploy was something that lived in
just the browser and Web server. SET itself failed because the
incentives were never there -- consumers didn't perceive any benefit to
installing funky software, and merchants weren't given much incentive
to encourage it.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
