At 11:10 PM 03/23/2003 -0500, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any Internet medium.)
One of the major reasons for this, of course,
is the requirement for certificates,
which give at least some vague level of authentication
that you're talking to the site you wanted,
as well as some much vaguer level of authentication
that the web site might correspond to some actual business
that at least had enough capital to buy a cert.
Sure, there are a variety of subtle and entertaining ways
to pull of MITM attacks, but one crude and obvious one
is to forge either an entire site or at least the parts of it
that ask for your credit card number,
and use something like DNS hacking or minor name misspellings
to get people to visit your site instead of the real one.
If you need to forward some of the requests on to the real site,
that's a bit more work, and makes you easier to trace,
so if you can be a MITM without bothering with the back half, great.
And of course the cruder and more obvious attack was to
create a site for a company that wasn't actually on the web yet,
so nobody's watching the site, and then fly-by-night out of there.
Is it perfect? No, but it does tend to raise the bar on attacks
to the point that keeps out lots of the anklebiters
and makes it more effective to attack a badly-administered server
instead of forging a better-administered server.
Oh, and it also let merchants who desperately wanted the public
to trust them enough to give them credit card numbers
tell their potential customers "See, we've got *cryptography*!"
instead of "See, we've got servers sitting exposed to the net",
which is a social engineering problem, and also let them say
"See, the certificates let you know you're talking to the
REAL Example Inc. instead a some faker putting up example.com."
Because the real economics is whether you can get customers to show up.
(Well, ok, and whether you can make money if they do show up :-)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]