Re: SSL certificates
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 02/13/04
- Next message: Anton Stiglic: "Re: Question for the math wizards..."
- Previous message: Joe Peschel: "Re: Book Cipher on old messages"
- In reply to: Mailman: "Re: SSL certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 Feb 2004 16:13:42 GMT
Mailman <mailman@anonymous.org> writes:
> After all, robbing a bank is nothing when compared to _opening_ a bank!
or attacks on the owner of the website.
lots of past comments about SSL merchant server "comfort" certificates:
http://www.garlic.com/~lynn/subpubkey.html#sslcert
ssl was to address perceived weakness involving perceived domain name
hijacking weaknesses in the domain name infrastructure; merchants
would get a ssl server certificate from a TTP (trusted third party)
certification authority with their domain name, client browsers would
compare the domain name in the certificate with the URL they typed
... and have some comfort that the server they were talking to was the
one they expected to talk to from the URL. there was also the issue
that it supported an encrypted session, hiding the credit card number
while in transit.
a couple issues:
1) The TTP-CAs aren't the authoritative agency as to who owns the
domain name ... the domain name infrastructure is the authoritative
agency as to who owns the domain name. As part of the TTP-CA issueing
the ceritifcate to the merchant ... they had to contact the domain
name infrastructure to see if the entity requesting the certificate is
the same entity that owns the domain name ... however this is the
domain name infrastructure that has the integrity issues that gave
rise to desire for needing certificates. So somewhat from the TTP-CA
industry there has been some proposals to improve the integrity of the
domain name infrastructure ... so that the TTP-CA industry can trust
them as part of issueing certificates. However, the net is that
various of the proposals to improve the integrity of the domain name
infrastructure (so that it can be trusted by the TTP-CA industry as
part of issueing certificates) also improves the domain name
infrastructure integrity so it can be trusted by everybody ... going a
long ways to eliminating the original requirement for needing the
merchant comfort certificates in the first place.
2) the major vulnerability to credit card numbers have been havesting
of the transaction files from the merchant location. this is what
shows up in all the press ... various references:
http://www.garlic.com/~lynn/subpubkey.html#fraud
where the crook gets a hundred thousand numbers in one operation ...
as compared to the theoritical evesdropping attack trying to catch a
credit card number in flight ... a vulnerability for which
there have been no known published actually occurances (as far as i
know) ... the ROI fraud is so much higher harvesting the transaction
file compared to try and get something out of evesdropping. a
discussion of security proportional to risk/fraud ... and the threat
model associated with the merchant transaction file:
http://www.garlic.com/~lynn/2001h.html#61
so the two threat models address by SSL merchant server certificates:
a) vulnerability in domain name infrastructure with domain name
hijacking .... except to some degree certificates are cosmetic coating
since the vulnerabilities are still there and somebody just hijacks
the domain name and then applies for the certificate (and in fact the
CA industry has motivated solutions to the domain name infrastructure
vulnerabilities but the solutions would also eliminate justification
for needing certificates).
b) vulnerability in credit card number transmission ... for which
there have been no published exploits ... since it is so much more
productive to harvest the merchant transaction file.
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
- Next message: Anton Stiglic: "Re: Question for the math wizards..."
- Previous message: Joe Peschel: "Re: Book Cipher on old messages"
- In reply to: Mailman: "Re: SSL certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
