[cryptography] PKI "fixes" that don't fix PKI (part III)

Ian G iang at iang.org
Sat Sep 10 14:28:08 EDT 2011


Hi Steve,

On 11/09/2011, at 1:07, Steven Bellovin <smb at cs.columbia.edu> wrote:

>> Sorry, that doesn't work. Afaik, there is practically zero evidence of Internet interception of credit cards. 
> 
> This makes no sense whatsoever.

(the point here is that the original statement said we had limited Internet eavesdropping fraud to less than the level of card-present fraud; it is a loaded statement, it somehow implies "mission accomplished" when the reality isn't so clear.)

> Credit card numbers are *universally*
> encrypted; of course there's no interception of them.

I'm afraid that's not really true in the absolute sense. There are a lot of small merchants that take credit cards over http and email.  And phone...

> Sure, it's easier to harvest in bulk by hacking a web site, or by
> seeding self-propagating malware that logs keystrokes.  But if
> eavesdropping works -- and it has in enough other cases -- it would have
> been used.

MITMing has been tried using stolen certs, often enough, but has seemed to have been not worth the trouble, as against downgrade to http. Fwiw.

Eavesdropping has been attempted at cafes and other wireless places. I've never seen any hard numbers, but given the amount of wireless, it seems as this also hasn't shown itself sufficiently economic. So maybe it is an acceptable risk?

>  The *only* reason it isn't used against credit card numbers
> has been SSL.

That isn't a scientifically valid statement. For a start, we never ran the experiment, so we don't know if there was ever a risk. We assume it from the telnet experience.

Secondly, the context was different.  I.e., the solution to proven password eavesdropping was SSH, which does not use certs. The solution to anticipated credit card MITMing was SSL-with-certs.  4 points of difference.

Secondly, there's ample evidence to suggest more than one reason why it's less economic. Attackers don't choose your threat model, they choose their own risk model.




What went wrong last month was the certs part. As Lucky Green intimated, assumptions proved to be less robust than the cryptographers anticipated.

We have certs, we have to live with them. The question now is how to fix it up so we can continue. Assumptions will be the thing that blocks us. E.g. All CAs are equal.

Iang


More information about the cryptography mailing list