[WEB SECURITY] SSL does not = a secure website

Ryan Barnett rcbarnett at gmail.com
Mon Mar 27 20:40:31 EST 2006


I need some feedback from the lists.  Does any have any verifiable proof
(new story, etc...) that documents where attackers successfully sniffed
Credit Card data off of the Internet for an eCommerce site???  Every story
that I have read about indicates that attackers mostly obtain this data by
breaking into the back-end DB to steal the CC data rather than sniffing.
Anyone with info to the contrary?

While I believe that we would all agree that the use of SSL for eCommerce is
a good idea, I am interested in the actual THREAT.  It seems to me that the
real threat to CC data is a vulnerable webapp/backend and not the use of
SSL.  The PCI Data Security Standard document (
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf)
lists this as Requirement 4 -
*

Protect Cardholder Data
*

Requirement 3: Protect stored data

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks

So, when an eCommerce website boasts "We are a secure website" - keep in
mind that they are referring to Requirement 4.  Who knows what they are
doing about Requirement 3...

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060327/7ef5fde4/attachment.html>


More information about the websecurity mailing list