WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: "Richard St John" <Richard.StJohn () gbe com>
Date: Tue, 28 Mar 2006 08:32:53 -0600
What about man in the middle devices such as proxies? I have several devices on my network that encrypt and decrypt SSL on the fly and can be used to monitor what is sent to and an ECommerce site. The one device {BlueCoat} even has a specialized card for this so it doesn't take from the central processor. We use it for forward proxy, and also reverse proxy in front of our ECommerce site, so if I wanted to I could read the actual packet payload in the clear without either end knowing the data has been decrypted. We also have several sniffers with cards in them to do the same thing, after all, the sniffers and BlueCoat see the entire conversations so know what the encryption is.
"Ryan Barnett" <rcbarnett () gmail com> 03/27 7:40 PM >>>
I need some feedback from the lists. Does any have any verifiable proof (new story, etc...) that documents where attackers successfully sniffed Credit Card data off of the Internet for an eCommerce site??? Every story that I have read about indicates that attackers mostly obtain this data by breaking into the back-end DB to steal the CC data rather than sniffing. Anyone with info to the contrary? While I believe that we would all agree that the use of SSL for eCommerce is a good idea, I am interested in the actual THREAT. It seems to me that the real threat to CC data is a vulnerable webapp/backend and not the use of SSL. The PCI Data Security Standard document ( http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf) lists this as Requirement 4 - * Protect Cardholder Data * Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks So, when an eCommerce website boasts "We are a secure website" - keep in mind that they are referring to Requirement 4. Who knows what they are doing about Requirement 3... -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)