On Sat, Jul 16, 2005 at 06:12:21PM +0100, Bryan O'Donoghue wrote:
> The keyspace, for the encryption used, for SSL/TSL if we assume AES, is
> 2^128 keys... the chances of getting lucky cracking such an encrypted
> set of TCP packets... is quite small. Brute forcing is practically
> impossible, since there is not enough silicon nor enough time in the
> universe, to search the entire AES keyspace.
How is the AES assumption valid? And how do you then extrapolate a 2^128
keyspace? SSL and TLS (not TSL) support variable key sizes, as does the
AES algorithim.
I think you've completely missed the point. The main risks involved with
online banking are not your sessions being intercepted and deciphered,
but rather are to do with the security surrounding the endpoints.
The biggest risks surround your client machine and web-browser. These
range from the phishing attacks, browser cache misbehaviour, the
SSL-transparent unicode DNS problems, to boxes being trojaned, keystroke
loggers and all sorts of really common things like that. However, since
this a linux-users group, we can assume a certain ammount of
risk-mitigation on this side.
On the server side, you're screwed. You're entirely reliant on whatever
measures the bank has taken. By signing up for online banking, you're
certainly increasing the risk of your sensitive personal information to
others. Judging that risk is very complex though, and SSL/TLS is only
one very small part of the full equation.
> Compare the security and verifiability of SSL to Automatic teller machines.
That's a niaive comparison. SSL secures only the communication between
you and the bank's interface. SSL is comparable to ensuring noone can
look over your shoulder, or the ATM screen is readable only from a small
range of angles.
> Do I know how, encryption of my sensitive data is accomplished with ye
> olde ATM machine talking to a bank over PSTN from my local Centra ?
You don't. And that's the point you've completely missed about online
banking. You have no visibility of anything behing the interface the
bank have provided you.
But there are some differences which make people think that online
interfaces are less secure;
1. ATM's have been around a lot longer, there is more study and
expertise around securing them and security ATM -> bank
communication.
2. ATM's generally have a much more limited range for input. The
ATM's themselves generally only have about 15 buttons, and
the communications protocols rarely have more than about a
dozen or so commands. Consider how much variability of input
SSL/TLS, HTTP and HTML combined have.
3. Online systems are vastly more complex, rely on more software
and on more software interoperating successfully.
4. Online systems tend to fail open. When you consider how most
systems are developed, it's not exactly confidence inspiring.
At least the ATM protocols are stubbornly rigid about what
will and what won't work.
Of course ATM still have they're own deficiencies, like the simple
man-in-the-middle attacks that been occuring in the last few years.
--
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
