SECURITY FOR THE CXO - THE CRYPTO MYTH

If you assume SSL is essential to Internet security, guess again.

BY PETER TIPPETT

What's our biggest obstacle in implementing good corporate security? Lack of funding? Lack of management support? Network configuration complexity? Lack of end user awareness? Keeping up with patches and updates?

The answer, I would argue, is none of these, but rather misdirected focus. We devote much more time and effort to putting out fires than to making our systems flame-retardant. Worse, when we do pay attention to prevention, we often misdirect our actions toward what the security "experts," auditors, regulators, our peers and "common sense" deem important. Unfortunately, for most things related to security, what seems like the right thing to do, isn't.

For more than 15 years, we have been deluged with the idea that Internet encryption, SSL in particular, is sine qua non--an absolutely indispensable component of enterprise and e-commerce security. The argument goes like this: Because the Internet uses packet switching rather than circuit switching, our traffic is part of giant party lines--easily sniffed (eavesdropped, snooped, wiretapped) by almost anyone with a packet sniffer and a little ambition. Because most of us in the infosecurity community regard Internet encryption as a given, we, in turn, pester partners, end users and anyone else who will listen to make sure their browsers are in secure mode whenever transmitting sensitive information (address, credit card number, etc.).

On a more technical level, security geeks constantly remind us that the paltry 40-bit encryption in default browsers can easily be broken with an old desktop PC in one day. We should really use 56-, 64- or 128-bit encryption, they argue, because it would take a week of 1,000 computers (56 bit) or a century of all the computers on the planet (128 bit) to break.

Yes, data encryption is a fundamental concept in security, and I'd be a fool to say it's not important for many applications and in many environments. But all this brouhaha about Internet transaction encryption misses a much larger point: The risk of having your credit card number sniffed on the public 'Net is next to nothing. I'm not talking about sniffing on slow network segments or on a corporate subnet--where the risk is real--but rather on the public Internet.

In my March column (www.infosecuritymag.com/articles/march01/columns_executive_view.shtml), I discussed a basic equation for quantifying risk:

Risk = Threat x Vulnerability x Cost

Let's apply this equation to the concept of Internet encryption. The risk we are mitigating by encrypting our e-commerce transactions is the risk of someone sniffing our traffic somewhere between us and the destination site. To quantify this risk, we only need to measure or estimate the vulnerability (likelihood of success or vulnerability prevalence), threat (frequency of attempts or successes) and cost (of a successful security breach by this mechanism) of this alleged problem.

OK, so what is the vulnerability of Internet sniffing? I would argue that the likelihood of success of sniffing somewhere between your home or office and an e-commerce Web server is incredibly low, perhaps as low as 106 (meaning the likelihood of success would be one in 100,000 sniffing attempts).

A few years ago, I hosted a TruSecure ISP Backbone Security (ISPsec) Consortium meeting, where we discussed a problem MCI and other ISPs were having trying to fulfill an FBI wiretap request. The court order wanted MCI to write to disk a week's worth of data from an OC3 Internet pipe for later analysis. After many months of complex technical work, using the fastest processors, tools and disk arrays obtainable, MCI was only able to sniff the headers from the wire.

Three years have passed, and Moore's Law tells us that processors are perhaps three times faster, and disk drives perhaps two times faster. Bandwidth has also increased; today's OC192 pipes are more than 60 times faster than OC3. Translation: As difficult as sniffing was three years ago, it's 20 to 30 times more difficult today, even if you're a backbone ISP.

Of course, other factors further reduce the vulnerability, including the problem of identifying which fiber to sniff and the fragmentation of transmitted packets.
Now, what about the threat rate? We read lots of news reports about this and that Web site losing thousands of credit card numbers to a database cracker, but have you ever once heard about a cracker obtaining such information by sniffing the public Internet? Neither have I. That's because, for credit cards at least, it hasn't happened.

Proponents of Internet encryption might cite this fact as a "crypto success story." The reason no one has sniffed credit card numbers on the public 'Net is because everyone's using encryption.

Baloney. In 2000, less than half of the credit card numbers traveling across the Internet were encrypted at all. For the other half, more than 70 percent of browsers in North America and Western Europe only support 40-bit encryption. Most B2B sites still use private (unencrypted) lines or 56-bit DES. All of this is to demonstrate that the threat is lower than low. In fact, it appears to be zero.

That brings us to cost. This one is quick. For consumers, the loss of credit card information is somewhere in the "minor hassle" category. If someone steals your credit card and charges four new radial tires on it, you're only liable for $50 under the worst of circumstances. (Most credit card issuers waive all liability if you contact them within 24 hours.) A new card arrives within a day or two, and you're back in business. No hassles, no headaches...and no cost.

So, when we consider all these factors together, here's what our risk equation looks like: The risk of credit card fraud by sniffing the public Internet has a very low vulnerability multiplied by a threat rate near zero multiplied by a very small cost. When you extrapolate this out to the millions of people transmitting credit card numbers over the 'Net, the risk is darn near zero. In fact, I would argue that it's not even in the top 1,000 real risks worth worrying about. This hasn't always been the case, but as each year passes and bandwidth and traffic and processor speed all increase exponentially, the risk of such a breach is less and less, with or without encryption.

This is what I mean about misdirected focus. No part of the credit card theft problem relates to Internet sniffing. No amount of transit encryption has any real value once you get outside the DMZ. The number one e-credit card problem has always been the insecurity (both physical and electronic) of servers and databases storing this information. But instead of addressing well-known and easily fixed server vulnerabilities, or setting up basic programs to make sure Internet-facing machines are regularly patched and updated, we spend money and resources on the most pervasive and least provable Internet security myth.

In the 14th Century, Philip VI of France ordered doctors at the University of Paris to explain why Europe was getting hit so hard by the bubonic plague. Their answer was that Saturn, Jupiter and Mars were in an unusual alignment in the 40th degree of Aquarius.

In 1600, years before Galileo was ostracized, Dominican friar Giordano Bruno was burned at the stake for insisting that the Earth traveled around the Sun.

Nuff said?