---------- Forwarded message ---------- Date: Tue, 13 Aug 2002 10:47:12 -0400 From: Ian Grigg <iangat_private> To: dbsat_private Subject: Re: [ISN] Security flaw found in Microsoft Web browser On Tuesday 13 August 2002 08:00, you wrote: > ``If you ever typed in credit card information to an SSL site > there's a chance that somebody intercepted it,'' he added. Right. A theoretical, infinitisimal chance. Next to zero. This issue has been around since the year dot, and there remains, ludicrously, no documented or admitted cases where credit card numbers have been intercepted on the net and used for fraudulent purposes. By now, one would think that it would have happened by accident, just through the sheer number of openly emailed credit card numbers. But, instead, real crackers do what real crackers do: they hack into machines and steal databases full of credit cards. > ``I would consider this to be incredibly severe,'' he added. > > Cryptography expert Bruce Schneier agreed. > > ``This is one of the worst cryptographic vulnerabilities I've seen > in a long time,'' said Schneier, co-founder and chief technology > officer at Counterpane Internet Security, a Cupertino, > California-based network monitoring firm. > > ``What this means is that all the cryptographic protections of SSL > don't work if you're a Microsoft IE user,'' Schneier added. The eminent Mr Schneier must have been misquoted. What this permits is an MITM attack, the most obscure and unlikely of the scenarios. Passive listening is presumably unaffected, by orders of magnitude a greater danger. I.e., say Yes to Mallory, say No to Eve. > MICROSOFT DOWNPLAYS REPORT Not that anyone will believe them, but in this case, it is indeed appropriate to assure that MITM attacks are hard. This doesn't mean that they shouldn't fix the bug, but this flaw is more embarressing than devastating; the fact that it took so long to find also points out the relative lack of popularity that Mallory has in the real world. > An attacker wouldn't even need to create a fake Web site, but could > merely intercept the data from a legitimate Web site without the > victim knowing, Benham said. Right, so there are two approaches: set up a fake web site as certs are now fakable. Or 'merely' intercept the traffic and conduct the MITM. The former is plausible, but in fact it goes on a lot already, as seen from the gold experiences. I wonder how successful those efforts have been? (It's no surprise that in later posts today, Rick van Rein talks about these efforts, as he's observing real security at work, not dwelling in the security industry.) > ``The reason SSL exists is to defend against these types of > attacks,'' he said. ``If these types of attacks were so hard, nobody > would have to use SSL.'' Oddly enough, totally true. SSL use is not that high, simply because certs are so hard to set up, browsers discriminate against so called snake-oils, and, meanwhile, MITM attacks remain too rare to measure. So there is no great "need" in he greater society of the net (other than the commercial needs of various security companies) -- iang - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 05:35:13 PDT