This is a archived project. See http://blogs.23.nu/disLEXia/stories/492/ for details and further pointers.

Monday, 09. September 2002

SSL does not protect your credit card transactions.

There was this nasty SSL/TLS-Certificate validation bug. So now MS NBC is spreading "FUD": Windows flaw enables credit fraud. Attackers could use the use the flaw to get your credit card number.

In the mid-ninties there where people planning to do commerce on the Internet. They where told they can't do it, because the Internet "is not secure". - Oh not secure! Encryption makes stuff secure. So we encrypt the transactions via SSL and everything is secure - nobody could sniff your data from the wire. So users where told they should look for a little key icon in their browser and if it's there the site "is secure" and they shoul start shopping as mad.

The problem is: nobody is sniffing credit card numbers off the wire. All the bad guys just r00t the servers and grap thousands of credit card numbers from there. So broken SSL is not a risk to credit card numbers but poor host security is.
02:56 | #

<< 18.-20.10.: Intellectual Property, E-Commerce and the Interne | 3.-5.10.: New Technologies for the Protection of Intellectual Property: Preventing Piracy or Restraining Competition and Fair Use? >>

disLEXia, a research project by Maximillian Dornseif

disLEXia

September 2002
 
Mo Tu We Th Fr Sa Su
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
Aug Oct
Search: