Blown To Bits

Is Your Bank’s Site Really Connected to Your Bank?

Wednesday, March 24th, 2010 by Harry Lewis

The intrepid Chris Soghoian, about whom I have blogged previously, has just released another potential blockbuster.

At a trade show he found an equipment manufacturer making these claims about a box it was offering for sale to government investigators:

“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity. … IP communication dictates the need to examine encrypted traffic at will. … Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

To back up a step, SSL encryption — which lies underneath the secure browsing you take for granted when you see “https” preceding a URL such as bankofamerica.com — does not by itself guarantee that the site to whom you are connected is in fact the site of the Bank of America. Your browser relies on the site presenting a certificate, and a certificate authority certifying that the certificate really does belong to Bank of America. There are hundreds of these third party certificate authorities — Verisign is the one you are most likely to have heard of — and there is a protocol for those authorities themselves to be certified as reliable. If a certificate authority is issuing bogus certificates — “certifying” that the FBI is really Gmail, for example — then the impostor could read your email or banking transactions, and no one would be the wiser.

What else could the company, Packet Forensics, mean by promising to provide a “false sense of security”? Its answers to Wired, which called the company, certainly are not reassuring.

Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.

“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”

Good for Chris. It will be interesting to see how many worms come out of this can. For good summaries, read the Wired or EFF news items. But the paper itself is well written and does not require an advanced education to read.

One Response to “Is Your Bank’s Site Really Connected to Your Bank?”

  1. ???-??? Says:

    “Your browser relies on the site presenting a certificate, and a certificate authority certifying that the certificate really does belong to Bank of America.”
    Can more?