Re: My credit card details have been sent in the clear!
From: Lassi Hippeläinen (lahippel_at_ieee.orgasm-research.invalid)
Date: 11/27/03
- Previous message: Jonah: "co-worker spy annoyance"
- In reply to: Giulio Cespuglio: "My credit card details have been sent in the clear!"
- Next in thread: leslie: "Re: My credit card details have been sent in the clear!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Nov 2003 10:21:56 GMT
Giulio Cespuglio wrote:
>
> Should I worry?
> What are the odds of my details being sniffed and used?
> Could you point me to some literature please?
Depends very much on the kind of network you connect to. The best places
to sniff are close to you.
> In case you are curious, the problem is that an online retailer has
> sent back to my browser my details for confirmation - including full
> credit card number and expiry! I don't know much about SSL, but I'm
> pretty sure that, since the seller cannot know my public key, the
> information they send back is not encrypted. Am I wrong?
Luckily you are wrong, and in several points.
First, the seller knows your public key. That's the whole point in it.
Secondly, SSL uses asymmetric encryption only to start the encryption
session. The session itself uses symmetric encryption. The server has
the key as well, because otherwise it couldn't run the service. In fact,
the server and your browser generated the key in cooperation
("Diffie-Hellman-Merkle exchange").
Thirdly, if the response came through SSL, it was your own browser that
decrypted it. It travelled in the Internet in encrypted form.
-- Lassi
> Thanks a lot for your help.
>
> Regards,
> Giulio
- Previous message: Jonah: "co-worker spy annoyance"
- In reply to: Giulio Cespuglio: "My credit card details have been sent in the clear!"
- Next in thread: leslie: "Re: My credit card details have been sent in the clear!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
