<warning wine="red">
On 22/3/09 02:09, Nelson B Bolyard wrote:
Ian G wrote, On 2009-03-21 07:00:
After MITB surfaced (and scared the European bankers into action)
What is that? Man In The Bank?
I suppose you meant MITM, but if not, please clarify.
Man in the Browser. It is a term that seems to have caught on to
describe what happens when the browser is taken over by malware, and it
owns the interface. To solve the security problems that arises in
online banking is more challenging, which is where the Europeans moved to.
This is one of those cases where dire predictions of doom & gloom did
not come to pass, *but* the European banks (generally, not all) put in
place enough to mitigate it. As the problem didn't surface to any great
extent in the USA, there is dispute as to whether it doesn't really
exist, or whether there are just easier pickings elsewhere, and it's
coming sometime.
people in finance circles started to realise that session authentication
was a mistake from the beginning
I would say there is not consensus on that view, but maybe I don't hang
out with enough European bankers.
Right, it isn't consensus, because if you understand it, you understand
that you have to spend some money to get the security needed. Of
course, risk mitigation can cost, etc. Security being about how much
you're going to spend, and how much you're going to save.
( We are talking about banks, which as a core competence know how to
deal with and price risks. Or, at least that was the story they used to
tell, but they're a mite distracted these days, and their story sounds a
little tarnished :)
(and that SSL was the vector for that mistake).
I think that paradigm goes back much farther than SSL. Certainly SSL
continues it.
Right, indeed, if one wants to go further, it is the connection which is
the vector of the mistake, and SSL just cemented it in place. I am told
by my American friends that the source of the wisdom in US banking goes
even further back to a data center in New York that was flooded in
around the 1980s. When they recovered the tapes and started them up
again, they then experienced a second flood of re-done and undone
transactions ... at that point the banks realised the error in their ways.
So (in a sense you will be familiar) SSL is often "blamed" for all sorts
of problems in online banking. This is somewhat fair because SSL was
originally pushed for the purpose of protecting transactions. This
simplistic view is extremely difficult to push past because those that
support SSL won't ever say "don't use SSL for that" and meanwhile, SSL
is still pushed as the way to do security for online transactions. So
its existence has an effect of blocking any accurate discussions. Which
is sort of rationalised at different levels.
(By SSL, here, I do not mean the protocol, I mean the whole secure
browsing experience. For the protocol I prefer the term TLS. But
that's just me.)
TLS plays no part in that, or, you are right that the part it plays is
that of the culprit; distracting attention from the real security needs
by imposing its security model.
Where does TLS impose on anyone?
Who says "Use TLS and nothing else or you'll be sorry" ?
TLS offers something that is much more secure than plain text. If some
group wants something else, they're free to design and implement it.
The problem has been that people who wanted a different model kept
wishing SSL had the model they wanted, and hating SSL for not having
the model they wanted, rather than inventing the thing they wanted.
TLS does not hold them back, except perhaps psychologically.
Exactly, like that! That's what we want to hear. So when any other
model is presented, the people who support the SSL model will hopefully
refrain from trashing the alternates :)
Getting back to the "cheap" end of the market, right, some of us are
still trying to extract value by getting TLS to the always-on and
dual-authentication status. Only then can it deliver real value up to
the application, rather than open up weaknesses in other areas. For
this, client certs seem to be useful, because the code is already
written in the server side.
And the bad ones remind us of that, every minute or two. :)
lol... it is amazing what we s**t we have to wade through in order to
get a good value secure experience to our users!
iang
</slurp>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
