[WEB SECURITY] SSL does not = a secure website

Richard St John Richard.StJohn at gbe.com
Tue Mar 28 09:32:53 EST 2006


What about man in the middle devices such as proxies? I have several
devices on my network that encrypt and decrypt SSL on the fly and can be
used to monitor what is sent to and an ECommerce site.

The one device {BlueCoat} even has a specialized card for this so it
doesn't take from the central processor. We use it for forward proxy,
and also reverse proxy in front of our ECommerce site, so if I wanted to
I could read the actual packet payload in the clear without either end
knowing the data has been decrypted.

We also have several sniffers with cards in them to do the same thing,
after all, the sniffers and BlueCoat see the entire conversations so
know what the encryption is.


>>> "Ryan Barnett" <rcbarnett at gmail.com> 03/27 7:40 PM >>>
I need some feedback from the lists.  Does any have any verifiable
proof
(new story, etc...) that documents where attackers successfully
sniffed
Credit Card data off of the Internet for an eCommerce site???  Every
story
that I have read about indicates that attackers mostly obtain this data
by
breaking into the back-end DB to steal the CC data rather than
sniffing.
Anyone with info to the contrary?

While I believe that we would all agree that the use of SSL for
eCommerce is
a good idea, I am interested in the actual THREAT.  It seems to me that
the
real threat to CC data is a vulnerable webapp/backend and not the use
of
SSL.  The PCI Data Security Standard document (
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf)
lists this as Requirement 4 -
*

Protect Cardholder Data
*

Requirement 3: Protect stored data

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks

So, when an eCommerce website boasts "We are a secure website" - keep
in
mind that they are referring to Requirement 4.  Who knows what they
are
doing about Requirement 3...

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list