Re: CRIME Re: cryptography

From: Zot O'Connor (zot@private)
Date: Thu Apr 18 2002 - 16:19:39 PDT

  • Next message: Jere Retzer: "Re: CRIME Re: cryptography"

    A few points to add to the fray:
    
    1)  Things like SSL are *minimum* steps.  If a site does not even have
    SSL up and running, it tells me volumes about their *lack* of skill. 
    Having it does not mean the credit card is not stored on a flat file
    available via network neighborhood, buts its a start.
    
    2)  Even weak cryptography raises the bar phenomenally.  I have done
    clean up jobs on boxes that has every single password for an ISP based
    on POP, FTP and telnet passwords.  It was in a nice neat formatted
    file.  Had the information been encrypted, it would have raised the bar.
    
    3)  So bad encryption worst problem is a false sense of security.  Had
    the script kiddees in the box in #2 had a ssh cracker, ssl crack, or
    other, they would of have more password.  The ISP *might* have noticed
    the load then.......
    
    So, does this mean you have to sprint out and replace all SSL right
    now?  No.  It should be included in all future maintenance and upgrades.
    
    You might want to check critical data flows, but I'd be more worried
    about data storage than transmission (if the transmission is encrypted).
    
    
    
    
    -- 
    Zot O'Connor
    
    http://www.ZotConsulting.com
    http://www.WhiteKnightHackers.com
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:10 PDT