[ILUG] Net banks with linux support

Colm MacCarthaigh colm at stdlib.net
Sat Jul 16 20:08:29 IST 2005 

On Sat, Jul 16, 2005 at 06:12:21PM +0100, Bryan O'Donoghue wrote:
> The keyspace, for the encryption used, for SSL/TSL if we assume AES, is
> 2^128 keys... the chances of getting lucky cracking such an encrypted
> set of TCP packets... is quite small. Brute forcing is practically
> impossible, since there is not enough silicon nor enough time in the
> universe, to search the entire AES keyspace.

How is the AES assumption valid? And how do you then extrapolate a 2^128
keyspace? SSL and TLS (not TSL) support variable key sizes, as does the
AES algorithim.

I think you've completely missed the point. The main risks involved with
online banking are not your sessions being intercepted and deciphered,
but rather are to do with the security surrounding the endpoints.

The biggest risks surround your client machine and web-browser. These
range from the phishing attacks, browser cache misbehaviour, the
SSL-transparent unicode DNS problems, to boxes being trojaned, keystroke
loggers and all sorts of really common things like that. However, since
this a linux-users group, we can assume a certain ammount of
risk-mitigation on this side. 

On the server side, you're screwed. You're entirely reliant on whatever
measures the bank has taken. By signing up for online banking, you're
certainly increasing the risk of your sensitive personal information to
others. Judging that risk is very complex though, and SSL/TLS is only
one very small part of the full equation.

> Compare the security and verifiability of SSL to Automatic teller machines.

That's a niaive comparison. SSL secures only the communication between
you and the bank's interface. SSL is comparable to ensuring noone can
look over your shoulder, or the ATM screen is readable only from a small
range of angles.

> Do I know how, encryption of my sensitive data is accomplished with ye
> olde ATM machine talking to a bank over PSTN from my local Centra ?

You don't. And that's the point you've completely missed about online
banking. You have no visibility of anything behing the interface the
bank have provided you. 

But there are some differences which make people think that online
interfaces are less secure;

  1. ATM's have been around a lot longer, there is more study and
     expertise around securing them and security ATM -> bank
     communication. 

  2. ATM's generally have a much more limited range for input. The
     ATM's themselves generally only have about 15 buttons, and
     the communications protocols rarely have more than about a
     dozen or so commands. Consider how much variability of input
     SSL/TLS, HTTP and HTML combined have. 

  3. Online systems are vastly more complex, rely on more software
     and on more software interoperating successfully.

  4. Online systems tend to fail open. When you consider how most
     systems are developed, it's not exactly confidence inspiring.
     At least the ATM protocols are stubbornly rigid about what
     will and what won't work.

Of course ATM still have they're own deficiencies, like the simple
man-in-the-middle attacks that been occuring in the last few years.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list