Wednesday, March 28, 2007

Pete Lindstrom Can Take My SSL Certs

In case you missed it, Pete Lindstrom, the infosec blog scene's answer to Snidely Whiplash, challenged some of the conventional wisdom around using SSL. Twice.

Pete caught some well-deserved flack for musing that SSL serves little to no purpose. But on the point that SSL on Internet web sites only really serves to encrypt data between the browser and the web server, I agree completely. Pete's assessment is that SSL basically serves to prevent sniffing. I disagree. Pete also guesses that sniffing is a rare attack against web sites. No surprise, I disagree. So Pete is at least half right.

SSL on public web sites doesn't do much to secure them. But it doesn't do much to prevent sniffing, either. Point and click tools, like the one I used in this TV news story, make it possible for public WiFi hotspots or even corporate networks to be subverted and SSL MITM sniffing to occur and for passwords or credit card numbers to be stolen as people shop online nearby. And if you think your users read those SSL warnings from IE and click 'No' when they see them, I've got a bridge in Second Life I'd like to sell you.

No comments: