[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Insecurity in WWW oriented security




I wanted to share an experience with folks on the list
that points to the relavince of what c'punks have been
doing looking at the Web encryption & security issues
like we have.

I was approached by a headhunter yesterday who wanted me
to do the security for a hospital connected to the net.
Straightforward stuff one would think. My inital reaction
was fairly positive, and I responded that I didn't think
I would have much trouble with the task as long as they had
a resonable setup internaly etc. etc. (I'm not a big beliver
in hard & crunchy -> soft & chewey when your accounting or
other critical data is part of what can be chewed up...)

Well at that point it got interesting. He told me that said
client was asking as a part of their requirments that they
be able to do "Secure transactions using HTML & Netscape".
My reaction was somwehere allong the lines of "What do they
mean by `secure transactions'!! Are they aware that the state of
encryption for WWW is really poor at best right now? I told him
that I thought this might not be such a hot idea, and that
my interest in this whole thing would hinge totaly upon exactly
what sorts of transactions they wanted to do using web servers
and the like. And that depending on the answer to that, I would
or would not be intrested in the whole thing.

The reason for my hesitation? I don't want blood on my hands over
a setup that is by definition currently in a state of very poor
security. And right now I have no idea if they want to transfer
MasterCard's or MRI's. But I do know that depending on what it
is they're planning, it might not be a place *I* want to be.

Besides being damned frightening, this points to a trend in
network evolution. Organizations are planning these sorts of
moves and utilizations of the technology with little thought
to the possible consequences of it.

And if the FBI ends up busting some psyco in the future for
tampering with the transactions of MRI data, x-rays, or any
of a million other possibilities, I seriously doubt that
Loius Freeh will be stepping forward to remind us all of
the need for robust security. Instead, it is far more likely
that he would argue that it was another example of the need
for increased monitoring of the internet and controls on
cryptographic solutions.

I found aspects of the whole conversation, juxtaposed with
what has been going on lately with the list chilling to
say the least.



Tim Scanlon


________________________________________________________________
[email protected] (NeXTmail, MIME)  Tim Scanlon
George Mason University     (PGP key avail.)  Public Affairs
I speak for myself, but often claim demonic possession