Firewall Wizards mailing list archives
Re: XML tag encryption?
From: Rama Kant <kant () adeptech com>
Date: Wed, 05 Jun 2002 10:43:20 -0400
As Bellovin pointed out and I know from my experience that credit card numbers are easily recognizable. While giving a credit card number over the phone, as soon as you begin to rattle off the number the person at the other end can tell whether the number belongs to Amex or Visa or other.
That is why just encrypting the tags will not really address the issue. Whether the application does it or a boundary data processor does it, tags as well as the sensitive data associated with it, both have to be encrypted.
Further, in order to address the issue of brute force approach any solution will also have to take out any context to such data as well.
Rama Kant At 09:23 AM 6/5/02, Marcus J. Ranum wrote:
Rama Kant wrote: ><amex cc no>3744 342298 98000</amex cc no> >>Now which application developer would be so much out of his/her mind to embed such XML codes?Hmm... Don't you work with programmers much? I'm figuring that just about 95% of the software engineers out there, if they were going to embed a credit card number would do exactly that!! Maybe they'd use a syntax more like: <ccno type=amex>3744 342298 98000</ccno> C'mon. These kinds of things happen all the time. Someone tells the programmer to store the CC# someplace and they use the most sensible approach at the time. Later, some marketing guy says "oh yeah, now we can send that over the INTERNET!" and the programmer has already populated all the databases with the <ccno> tag. Ooops. Tight deadline. Just ship it. Joking aside, the solution we're talking about is just another boundary data-processor. It could just as easily be an awk script that strips out <ccno> tags, or a fancier script that shoves them through pgp. The value of this "solution" if it has any is in the integration it offers the customer. The market will tell. mjr.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- XML tag encryption? Roger Marquis (Jun 01)
- Re: XML tag encryption? Darren Reed (Jun 05)
- <Possible follow-ups>
- RE: XML tag encryption? Scott, Richard (Jun 04)
- Re: XML tag encryption? Rama Kant (Jun 04)
- Re: XML tag encryption? Marcus J. Ranum (Jun 05)
- Message not available
- Message not available
- Message not available
- Re: XML tag encryption? Rama Kant (Jun 05)
- Re: XML tag encryption? Eric Rescorla (Jun 07)