[WEB SECURITY] SSL does not = a secure website

Richard St John Richard.StJohn at gbe.com
Tue Mar 28 09:32:53 EST 2006

What about man in the middle devices such as proxies? I have several
devices on my network that encrypt and decrypt SSL on the fly and can be
used to monitor what is sent to and an ECommerce site.

The one device {BlueCoat} even has a specialized card for this so it
doesn't take from the central processor. We use it for forward proxy,
and also reverse proxy in front of our ECommerce site, so if I wanted to
I could read the actual packet payload in the clear without either end
knowing the data has been decrypted.

We also have several sniffers with cards in them to do the same thing,
after all, the sniffers and BlueCoat see the entire conversations so
know what the encryption is.

>>> "Ryan Barnett" <rcbarnett at gmail.com> 03/27 7:40 PM >>>
I need some feedback from the lists.  Does any have any verifiable
(new story, etc...) that documents where attackers successfully
Credit Card data off of the Internet for an eCommerce site???  Every
that I have read about indicates that attackers mostly obtain this data
breaking into the back-end DB to steal the CC data rather than
Anyone with info to the contrary?

While I believe that we would all agree that the use of SSL for
eCommerce is
a good idea, I am interested in the actual THREAT.  It seems to me that
real threat to CC data is a vulnerable webapp/backend and not the use
SSL.  The PCI Data Security Standard document (
lists this as Requirement 4 -

Protect Cardholder Data

Requirement 3: Protect stored data

Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks

So, when an eCommerce website boasts "We are a secure website" - keep
mind that they are referring to Requirement 4.  Who knows what they
doing about Requirement 3...

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list