[cryptography] PKI "fixes" that don't fix PKI (part III)

John Levine johnl at iecc.com
Sat Sep 10 19:46:59 EDT 2011

>You're missing my point.  Let's take the definition of "threat" from the
>National Academies study "Trust in Cyberspace": an adversary that is
>motivated and capable of exploiting a vulnerability.  There are three
>keywords, "motivated", "capable", and "vulnerability".

No argument there, except that I see no evidence that they're
motivated to steal card numbers in transit, or one at a time anywhere,
and no reason to think that anything will change that in the
forseeable future.  Google for "malware credit card sniffer" and
you'll find stories about stuff that steals numbers in bulk from cash
registers and payment processors, not individually from user PCs.

>Thought experiment: suppose that SSL or other generally-effective
>encryption did not exist.  What is the likelihood that today's generic
>malware would contain a credit-card sniffing module as well as keystroke
>loggers, account/password stealers, etc? 

But Steve, generic malware runs on your PC or in your browser.  If
they wanted to steal card numbers, they'd steal card numbers today,
from the browser or by key logging, before the numbers got TLS-ed.
Since they don't do it now, I don't see any reason to think they'd do
it if it were easier to steal them other places.

Once again, I agree that as a matter of general hygiene it makes sense
to encrypt traffic, but arguing that it's to protect credit card
numbers is looking for your keys under the lamppost.


More information about the cryptography mailing list