Ian G wrote:
:-) OK, so Banks told the Users. Who told the Banks that 40 bits wasn't good enough for them?
Well, I think many banks had a better clue than most Limburger (er, 40-bit crypto) users. Then there was the incident where a college student broke a 40-bit key using unused CPU cycles of campus computers, and then proceeded to read old SSL traffic with it.
Good point. So all ISPs can sniff on traffic. Now,
the question is, why have ISPs had a very low incidence
of snooping and eavesdropping?
Why do you think that there has been a low incidence? Perhaps you expect the ISPs to be dumb enough to go out and use the CC numbers to buy TVs or drugs. Instead, some sell the personal info they find to information brokers. Marketeers really like to know who has big bank balances and who doesn't. By keeping it inobvious to the victim, the eavesdroppers can keep it up profitably for years. That's more valuable than a couple of TVs. Many broadband users in the US have signed agreements explicitly allowing this!
You'd think that by now there would have been dozens even
> hundreds of cases of such?
There have been, but as I said ...
I've heard of about one, maybe two if we push it. I think the reason is that your average ISP is staffed with the wrong sort of person to do insider attacks, whereas banks, telcos, and other places have no such good luck.
It's not the employee doing it against his boss's wishes. It's the boss's wishes being carried out.
(By viable threat model - I didn't mean it was possible, but that it was economically attractive.)
Very attractive to sell that data.
And there are proxies operating now that do real MITM attacks against SSL that passes through them. To use these proxies, you must agree to an end user agreement and download their software that installs their root CA cert. The end user agreement prevents the user from taking any action against them for their snooping. The user even agrees to "hold them harmless" against any legal action that might come against them as a result of the user blowing the whistle. Recent reports say there are tens of thousands of users of it.
Right, but we've excluded them, right?
I don't think so. How have we excluded them?
One of them has a WebTrust seal. Although they have not yet approached mozilla to be admitted as a CA (AFAIK), if they did so, on what basis in the present policy draft would they be denied?
Hint: think policy floor.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
