[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: securing html forms

>>>>> "Ghane" == Sanjeev Gupta <ghane@xxxxxxxxxxxxxxxxx> writes:

    Ghane> On Tue, 23 Jan 2001, Raju Mathur wrote:
    >> Having said that, guess how many of the millions of credit card
    >> numbers which have been stolen on the 'net were stolen while
    >> being transmitted to a server?  Yes, that's right: None!  The
    >> problems associated with snooping confidential information on
    >> public networks are so many, that 999 times out of 1000 it's
    >> much easier to just crack into the server where the CC numbers
    >> are stored and pick them up from there.  In other words,
    >> HTTPS/SSL is (usually) mostly marketing hype.

    Ghane> I think this is the first time I have heard someone else
    Ghane> say this.  Raj, and other folks working with ISPs, could
    Ghane> you tell me what kind of effort would be required if you
    Ghane> knew that I was downstream, about to log in by telnet to my
    Ghane> upstream Unix machine, and you wanted my passoword?

To the best of my knowledge, ISP's are busy enough tackling problems
of their own (like how to survive while still giving their customers
perceived value for money) to bother about snooping login/http
sessions.  Also, I wonder how many of them have a Clue about what is
possible on their networks and what isn't (for example, about 80-90%
of ISP's in India allow public access to their routers' and RAS' SNMP
data and allow DNS zone transfers from anonymous hosts).

Having said that, if I knew your source and destination IP addresses,
it'd be trivial to gather complete sessions and extract passwords.  As
you said, I've done it enough times on shared ethernet for
demonstration purposes.

And yes, I use ssh too -- just because snooping's impractical and
unlikely doesn't mean it can't happen :)

    Ghane> I am concerned about SSL mainly to secure traffic from a
    Ghane> promiscous NIC on my local rthernet, not on the wide, wide,
    Ghane> world.

    Ghane> Of course, since I have not seen my view appreciated
    Ghane> anywhere, I do use ssh to connect to client machines ;-)

    Ghane> And re: Credit Card numbers, give me a break!!!  Every
    Ghane> waiter and restaurent cashier in SouthEx knows my Credit
    Ghane> Card number, not to mention the Petrol Pump walas.  And
    Ghane> yet, people will flat refuse to send it over the Internet.
    Ghane> As you pointed out, SSL is needded for public confidence.

Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/