Colm MacCarthaigh wrote:
> On Sat, Jul 16, 2005 at 06:12:21PM +0100, Bryan O'Donoghue wrote:
>>>The keyspace, for the encryption used, for SSL/TSL if we assume AES, is
>>2^128 keys... the chances of getting lucky cracking such an encrypted
>>set of TCP packets... is quite small. Brute forcing is practically
>>impossible, since there is not enough silicon nor enough time in the
>>universe, to search the entire AES keyspace.
>>> How is the AES assumption valid? And how do you then extrapolate a 2^128
> keyspace? SSL and TLS (not TSL) support variable key sizes, as does the
> AES algorithim.
'Assuming' the AES algorithm as the method for encryption, the very
_worst_ keyspace is 2^128. As you've already pointed out AES can have
variable key sizes, with 128 bits, being the smallest.
> The main risks involved with
> online banking are not your sessions being intercepted and deciphered,
> but rather are to do with the security surrounding the endpoints.
Of course that is one of the obvious choices for obtaining ATM/Credit
card details. Indeed, it would make much more sense, to attempt to
compromise a bank's servers and circuitously obtain, Colm MacCartaigh's
Credit Card number, at the server, then it would to attempt to brute
force, captured SSL encrypted packets, even if we assume a pathetic 40
bit key is in use, but really it's not a _likely_ delta for compromising
online transactions.
> The biggest risks surround your client machine and web-browser. These
> range from the phishing attacks, browser cache misbehaviour, the
> SSL-transparent unicode DNS problems, to boxes being trojaned, keystroke
> loggers and all sorts of really common things like that. However, since
> this a linux-users group, we can assume a certain ammount of
> risk-mitigation on this side.
Indeed. I'll go out on a limb and claim that, my laptop, is reasonably
secure. Moreover, from my point of view, as a security concerned user,
my laptop has an inordinately high degree of verifiability, that an
Automatic Teller Machine, which a recent thread on ILUG pointed out, is
quite likely to be running a Windows permutation or an OS/2 permutation
of some kind, and thus to me, as a user, is black box technology.
Indeed in the domain, of a choice between using my laptop to talk to
AIB's (for argument sake) Webserver, which in turn talks to AIB's
*accounting* mainframe (of which we have no details), I have
verifiability that my laptop isn't compromised and that I have at least
a passing understanding of the crypto system in use, between my endpoint
and the remote entity (Webserver).
Compare this to an ATM running OS/2. As has been reported in the news
recently, it is quite possible that somebody has installed spy equipment
on this ATM. I have no real way to verify that the ATM uses a secure or
reasonably secure system, from itself, to the ATM's remote PSTN Server.
As opposed to my Linux Laptop and a very well known publicly scrutinised
security system (SSL). That, is in fact, the entire nexus of my
argument. I patently think it's ludicrous and absurd to claim that an
ATM brings better verifiability, when really, the only verifiability
proffered is a claim by yourself and Mr Foster, that ATMs are /more/ secure.
I wonder what, the banks would say ? I'm sure the banks would attest
that /both/ systems are secure, but, I suggest that in the time that
both ATMs and online banking have been in use, that it's far more likely
that ATMs have been compromised then the online banking infrastructure.
That however, is my (instinct) on this matter, I'll not attempt to pass
it off as fact, without offering actual data, to support it. You should
consider the same, when claiming that ATMs are a well designed and
debugged system, I should think.
> On the server side, you're screwed. You're entirely reliant on whatever
> measures the bank has taken.
Colm, you must have realised as you were typing it, that you are
entirely as reliant on that particular locus, irrespective of whether or
not you use a Laptop or an ATM, to perform your remote financial actions.
I'd really be interested in how you could explain how ATM->PSTN
Server->Financial Mainframe [1] is less vulnerable then
Firefox->Webserver->Financial Mainframe ?
[1] http://money.howstuffworks.com/atm2.htm
>>Compare the security and verifiability of SSL to Automatic teller machines.
>>> SSL secures only the communication between
> you and the bank's interface. SSL is comparable to ensuring noone can
> look over your shoulder, or the ATM screen is readable only from a small
> range of angles.
>>>>Do I know how, encryption of my sensitive data is accomplished with ye
>>olde ATM machine talking to a bank over PSTN from my local Centra ?
>>> You don't. And that's the point you've completely missed about online
> banking. You have no visibility of anything behing the interface the
> bank have provided you.
In either case Colm, you have no visibility as to what the bank does
with your data, once the remote entity has your critical data, it is
quite simply the case that you must /trust/ the system involved, or not
use it.
The only actual line of verifiability you have is that with online
banking you can verify to a certain extent, that /your/ computer is safe
and secured, from some sort of data graphing attack. You can verify to
one level or another that /you/ are happy with SSL, /you/ can examine
the certificate given out by the server, is who it claims to be.
None of that is true with ATM. For me as a user, the ATM is inordinately
less verifiable and visible... I should think, that this is a totally
obvious fact ! Also remember, it _is_ the reliability of ATMs versus
Online banking, we are debating. I wouldn't claim, that I have complete
trust in online banking, in fact, I don't even use online banking, but,
that is for various tedious reasons to do with moving house and quite
literally being to busy, to have time to interface with banking people,
to set it all up, as opposed to some misplaced distrust, in the online
banking process.
> But there are some differences which make people think that online
> interfaces are less secure;
>> 1. ATM's have been around a lot longer, there is more study and
> expertise around securing them and security ATM -> bank
> communication.
That's a completely circular thing to say. cvs has been around for a
long time too, and many people are expert in it's use and
implementation. I'd hardly attempt to convince you that I thought it was
a good idea to use it as an SCM, on that basis.
> 2. ATM's generally have a much more limited range for input. The
> ATM's themselves generally only have about 15 buttons, and
> the communications protocols rarely have more than about a
> dozen or so commands. Consider how much variability of input
> SSL/TLS, HTTP and HTML combined have.
Linux operating systems are more complex then DOS. Again, *that's*
hardly a reason, to use DOS in place of Linux is it? You'd hardly
attempt to argue me around to believing that Linux is too /complex/ and
thus error-prone, would you ?
> 3. Online systems are vastly more complex, rely on more software
> and on more software interoperating successfully.
>> 4. Online systems tend to fail open. When you consider how most
> systems are developed, it's not exactly confidence inspiring.
> At least the ATM protocols are stubbornly rigid about what
> will and what won't work.
So you have stated. However since, one of my big issues with the ATM
system versus Online banking is that, I have no idea how, ATMs
communicate, or to what standards ATMs must meet, I can't reasonably
state (as you seem to be able to do) that I have /any/ confidence
whatsoever, in it's implementation.
Quite clearly, Windows Operating systems are in use in the ATM world,
and *that* fact alone really would give me pause. Professionally,
speaking, if I had any choice in the deployment of a system, closed
propiatery magic would not be my choice and certainly not for critical
systems. An ATM, isn't an inflight computer, but, from an financial
point of view, it *is* a critical system.
Do you actually, have any idea, *how* ATMs work at the encryption,
protocol, failover level, that you can attest such systems to be a
superior supplicant for online banking ?
If so, could you actually provide some data, so that others may verify,
your claims, or is it simply now the case, that having made the claims,
you will go to find the corroborating evidence ?
>From where I sit, it seems like an entirely, self righteous position to
claim that Linux Machine + SSL Enabled Webserver is a /less/ secure
delta then (Windows NT || OS/2) ATMs, with unknown/amorphous
communications and encryption mechanisms.
Granted, I have no confidence nor verifiability in the destination of my
sensitive data, once it is within the domain of a Webserver, but, that
particular delta, is roughly analogous to the lack of confidence, I have
for step two in the above linked web page.
Since you seem to be quite convinced of the reliability of ATMs, and my
main point (in case you've missed it) is that Laptop+SSL is /more/ of a
verifiable step, is more transparent, to me as a user, then an ATM.... I
wonder if you or our illustrious friend Mr Foster, would care to backup
your statements re ATMs security ?
It's quite possible that you are right and ATMs are a more secure
system. I doubt that assertion, but, I'll await some, actual data from
you, before I come to a definitive conclusion.
Best Regards,
Bryan
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
