[Gllug] IP address changes

Russell Howe rhowe at siksai.co.uk
Tue Nov 28 11:29:10 UTC 2006


On Tue, Nov 28, 2006 at 10:16:51AM +0000, Richard Jones wrote:
> Not directly in response, but this Schneier article is interesting:
> 
> http://www.schneier.com/crypto-gram-0303.html#3
> 
> <quote>
> In a Reuters article on the topic, I was quoted as saying that "Nobody
> bothers eavesdropping on the communications while it is in transit."
> This isn't a misquote (grammar mistake and all). Even if SSL were
> irrevocably broken, it wouldn't affect Internet security very
> much. There are two reasons. One, SSL is almost never used in a secure
> manner. And two, SSL doesn't solve an important security problem.
> [...]
> 
> Mostly, I see it used to protect credit card transactions; people are
> concerned about hackers stealing their credit card numbers as they
> move through the network. By now it should be obvious that hackers
> don't steal credit card numbers one by one across the network; they
> steal them in bulk -- by the thousands or even millions -- by breaking
> into poorly protected networks.
> </quote>

I agree, but also I would imagine that since most credit card
transactions are at least obscured (if you consider SSL to be breakable,
which I'm not sure it is, trivially) by SSL whilst in transit, it is at
least less practical to steal CC info by infecting routers etc with
malicious code. It's just not as rewarding as attacking database servers
etc. The majority of attacks will always be against whatever targets
yield the greatest reward for the minimum effort and risk - breaking SSL
connections is relatively high risk (if you do a MITM attack with a
false cert. which isn't trusted by the browser, the user'll get a
warning which you would hope makes them more alert - wishful thinking,
I'm sure) and quite a lot of effort (unless you have poor crypto
implementations, but this is a problem with any cryptosystem). The
combination of risk & effort makes such attacks less common and moves
the focus elsewhere.

If credit card transactions were ubiquitously in the clear, then I'm
sure you'd see more attacks against those network nodes likely to see
lots of such traffic.

One of the bigger problems with SSL or anything like it, is the somewhat
common misconception of "Oh, it's using SSL so it's secure" on the part
of the implementors. This is of course a weakness in the mindset of the
particular implementor/designer, and a sign that they don't really
understand what makes a system secure.

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list