Are those servers really safe?

By Katharine Mieszkowski

By Salon Staff
Published August 10, 2000 7:05PM (EDT)

Read the story

While this article does a good job of stirring up some fear, uncertainty and doubt, it glosses over several important points that significantly diminish its impact.

The length of the keys used in SSL sessions is not the best way to judge the security of a Web site. "Real hackers" are not likely to waste time cracking the SSL encryption, regardless of how relatively easy or difficult your "cryptology expert" says it may be. To break the weakest SSL encryption requires a reasonable degree of technical competency, plus a good amount of computing power and time. When successful, this type of attack will yield one single credit card number per cracking attempt. The cracking attempt must also be run against an SSL Web browsing session that has been previously captured off the network. The act of breaking into a computer that is in a position to capture SSL sessions is a hacking feat in and of itself. If the hacker can penetrate systems at will, why would he bother with all this crypto when he could just directly compromise the Web server? Unlike the SSL attack, that would have a good chance of turning up many hundreds or thousands of card numbers in a single attack that will usually only take a few moments.

While weak security certainly is a threat to e-commerce, there are bigger problems than SSL. Weak CGI scripts often used as shopping cart software is a less glamorous problem, but far more common. Unnecessary and outdated services running on supposedly secure Web servers is another extremely common (and fatal) mistake. Either of these issues allow the hacker to compromise the server itself.

Given that the system administrators who run these Web sites have a finite amount of time in which to worry about security, I'd say that they were better off patching their base server operating system than agonizing over SSL keylengths. Ideally, they'd have enough time to deal with both problems -- but if you had to prioritize things, I'd hope the vulnerability that led to massive compromise was handled first.

-- John Williams

Salon Staff

MORE FROM Salon Staff

Related Topics ------------------------------------------