Comments: What is the point of encrypting information that is publicly visible?

PAIN security acronym:

P ... privacy (sometimes CAIN & confidentiality)
A ... authentication
I ... integrity
N ... non-repudiation

original (and possibly still one of the major) use for SSL was hiding account numbers as part of e-commerce ... long winded archeological reference
http://www.garlic.com/~lynn/2006u.html#56

a large part of the issue with account numbers is diametrically opposing requirements.

frequently just knowledge of account numbers can effectively be used in various kinds of replay attacks for fraudulent transactions ... resulting in the requirement for account numbers to be kept confidential and never divulged.

at the same time, account numbers are required in scores of business processes, and as such, are required to be readily available. my oft repeated comment is that as a result of the diametrically opposing requirements, the planet could be buried under miles of encryption and still be unable to prevent account number leakage.

somewhat related thread
http://www.garlic.com/~lynn/aadsm26.htm#6
http://www.garlic.com/~lynn/2006v.html#1
http://www.garlic.com/~lynn/2006v.html#2

as mentioned in the above, the x9.59 financial standard changed the paradigm ... eliminating the requirement for keeping account number confidential ... effectively by using (consistently applying end-to-end) authentication and integrity for security ... as part of "armoring" all transactions (instead of privacy/confidentiality to achieve security, authentication and integrity was used for security).

of course, part of this was studying what the threats were and why ... and creating countermeasures for the actual threats.

Posted by Lynn Wheeler at November 24, 2006 05:36 PM

somewhat related news item, hot off the presses

Michigan Credit Card Mystery Deepens
http://www.consumeraffairs.com/news04/2006/11/mi_card_fraud.html

from above:

Numerous incidents involving breaches of bank security also demonstrate that there are major vulnerabilities at every level of a plastic transaction, from withdrawing money to buying goods online.

... snip ...

and/or can you say security proportional to risk?
http://www.garlic.com/~lynn/2001h.html#61

and then there are a couple recent posts about insider threats
http://www.garlic.com/~lynn/2006v.html#2 New attacks on the financial PIN processing
http://www.garlic.com/~lynn/aadsm26.html#7 Citibank e-mail looks phishy

Posted by Lynn Wheeler at November 25, 2006 03:53 PM

I was busily coding away today using a little javascript and such and found by accident all browsers except MS IE don't warn users if you visit a https website and there is a script that points to a http URI...

So much for them all being more secure then MSIE :)

Posted by Duane at November 26, 2006 11:04 AM

"Only end-to-end security is secure."

Not only that, but I think this can be made stronger: only application level end-to-end security can be secure. You mention IPsec, "Consider IPSec ... how do we know whether it is there?" which really raises a more critical question: how do we know it is there and working properly?

If you rely upon lower level security, you are relying that it is really providing security. How do you know that it is really AES-256 and not ROT-13 claiming to be IPsec? The sad, painful and expensive answer is that you can not know without doing the exact same validation that you need to implement your own application level code using AES-256. Which negates all the advantages of having the easy to use lower level security.

Building secure communications is painful and hard. It is essentially hard and there are no shortcuts.

Posted by Pat Farrell at November 26, 2006 12:08 PM

To Duane: It's not a bug, it's a setting, usually people check the "don't bother me with this again" when they see it.

http://www.pengdows.com/images/firefox.png

(Editor's note: Alaric's picture is above.)

Posted by Alaric at November 26, 2006 02:25 PM

This is good stuff. I think it would be useful to have a documentary film, an educational film, to explain this. It could be done almost exactly like a powerpoint, with a written script and alternating between a narration, and some simple diagrams.

The larger trend in society is that people are increasingly turned off by technology. In the 1960s there were a lot more shop and technology classes in high schools for example; But successive generations of people have learned that you're a chump, to learn engineering, software, etc. It's a life of being laid off, outsourced, etc. as everything you do that's valuable migrates to corporate ownership, and the rest is outsourced to low cost countries.

So the result is that fewer and fewer people seem to have any familiarity with the idea of a software stack, etc. To the public, the whole computer, as a whole is their only unit of analysis, and of course, they don't trust it; they know it betrays their own interests in so many ways, This ignorance is the problem that the documentary clip would address.

Posted by Todd at November 28, 2006 06:49 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55e5a3ecbc50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.