Re: NY Times Article

• To: www-security@ns2.rutgers.edu
• Subject: Re: NY Times Article
• From: Charles Watt <watt@sware.com>
• Date: Thu, 12 Oct 1995 16:26:54 -0400 (EDT)

-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
 A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
 dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
 MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
 Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
 DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
 AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
 A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
 aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
 Blj0RB3HEtVrPlJcRwN6dzdjJV1jD44btXt8pXqYzXRko68rBNjOa4qQO795FdpX
 xCwoy9cgnVXQcLW9yQk35Ag=

> 	Yes. There is absolutely -nothing- new in the NFS exploit
> exposed by the UC Berkeley students. It has been common knowledge that
> NFS is insecure and should not be used over untrusted networks. The
> details of their specific exploit has not been used in the past, but
> there is nothing which merits new concern over the security of
> internet transactions. 
> 
> > 
> > The front page of today's New York Times focuses on (alleged) recently 
> > discovered security flaws inherent in the structure of the Web that could 
> > potentially delay the take-off of electronic commerce.

	....

I did not read the NY Times article, but I did read the original posting
by Paul Gauthier from UCB.  His point had nothing to do with NFS -- in fact, 
he cited the NFS hole only because it was a well-known problem.  Rather, he 
was concerned about the attention devoted to the security of Netscape's SSL
implementation, for it was obscuring the fact that the security of an
electronic transaction depends upon ALL aspects effecting the security of
the two end systems making the transaction, not just the transaction
protocol.  He then cited a couple of examples illustrating this concept.
One was NFS.  The more scary example was that of on-the-fly modification
of binaries downloaded over the network.

How many of you downloaded your copy of the Netscape browser from the net?
How many routers and gateways sit between you and the server from which
	you downloaded the browswer?
Who has access to those routers and gateways?  Do you know?  Do you trust
	them?
Did you download the browser from home over a modem?  Who has access to the
	phone company's packet switching network?  Do you know for sure?

It has been assumed that on-the-fly modification of information crossing
the network is difficult and only a minor concern.  The value of the Berkeley
work is that it shows how easily an attacker with access to any of these 
intermediate packet switching points can target specific traffic and modify 
the data passing through them.  It is only a matter of time before tools to 
do this start appearing in the computer underground.

Have you ever borrowed a floppy from a friend?  Used a shareware program?
Downloaded a program or Postscript file from the network?  Have you ever
accepted a Word document or eXcel spreadsheet from the network, a friend
or coworker? How can you be sure that you haven't run a virus or Trojan
Horse that either:

	a) patched your WWW browser to use well-known keys
	b) hangs out as a TSR and forwards your password/credit card #, etc...
	   to an attacker?

Attacks such as these succeed no matter how secure the web protocol.  They
are not just theoretical, and they will become more common as the potential
reward for a successful attack increases.

In order to have secure Electronic Commerce over a public network you need:

1) a secure transaction protocol between
2) secure client and server systems
3) running only trusted applications
4) on the behalf of properly authenticated and authorized users
   ...

Not necessarily in that order.  Anything less is just gambling.  

Fortunately, the tools to create such an environment are available from a 
number of sources.  A sample can be found at http://www.secureware.com.
(blatant commercial pitch :-).

Charles Watt
SecureWare, Inc.

-----END PRIVACY-ENHANCED MESSAGE-----

• Re: NY Times Article
• From: "Daniel C. Fox" <dfox@xylogics.com>

• Previous: Re: New York Times article
• Next: Re: N$ SSL vs M$ PCT
• Index(es):
  • Index
  • Thread