[Previous] [Next] [Index]
[Thread]
what are realistic threats?
This message isn't meant as a response to any particular posting here.
Rather it's the fallout from a discussion I had with a colleague last
week. I think, in our efforts to provide security on WWW, we should
tune the level of security to the expected risks and threats. (Let me
state up front that I'm far from a security expert. I'm sure some real
experts will make that clear with their follow-ups!)
I think the most likely risk on the Internet with respect to security
is passive listening. I know it's theoretically possible to intercept
and change messages, or to inject new ones, but I think to do so
requires a level of sophistication and access that is unavailable to
all but a very small number of people. Even then, I'm assuming we're
just talking about technologically savvy people, not the security
services of governments.
Assuming I'm right, what are the likely risks with WWW as it now exists
due to passive listening? These come to mind quickly:
1) Reading credit card numbers.
2) Reading username/password pairs for the Basic authentication scheme.
3) Reading responses (documents) from servers.
Relatively simple encryption schemes can solve these passive listening
problems. (Without necessarily endorsing S-HTTP, I note it addresses
these three items.) What's more, a server could directly send a client
its public key, and, assuming only passive listening, the client can
trust the response.
My point: while we can (attempt to) design spook-proof security schemes,
I think we can achieve a hugh part of what we really seek with relatively
simple, low-cost technology. Considering the other opportunities to (for
example) grab credit card numbers, such as "shoulder-surfing" in stores,
collecting discarded receipts, etc., grabbing credit cards off the
Internet by spoofing messages would probably be unattractive.
And now for opposing points of view... :-)
David M. Kristol
AT&T Bell Laboratories
Follow-Ups: