Blown To Bits

Is Your Bank’s Site Really Connected to Your Bank?

Wednesday, March 24th, 2010 by Harry Lewis
Surgery, buy free norvasc no prescription dosage when possible, offers the best chance for a cure in buy cheap norvasc online patients with localized pancreatic cancer. (For information on the recommended viagra sale dosages of aripiprazole, see the "Aripiprazole oral tablet dosage" section artane for order above.) Unresectable liver cancers can occur in several stages of estrace vaginal cream sale liver cancer before it has spread to lymph nodes or buy amikacin without prescription more distant areas. At this time, it's not known if buy cheap accutane online the drug may be present in breast milk or what buy estrace from us effects it may have on a child who is breastfed. viagra no online prescription People who are pregnant or plan to become pregnant should find viagra without prescription talk with a doctor about all medications they take. While purchase discount cialis sale people who are grieving may express that they feel depressed, there.

The intrepid Chris Soghoian, about whom I have blogged previously, has just released another potential blockbuster.

At a trade show he found an equipment manufacturer making these claims about a box it was offering for sale to government investigators:

“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity. … IP communication dictates the need to examine encrypted traffic at will. … Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

To back up a step, SSL encryption — which lies underneath the secure browsing you take for granted when you see “https” preceding a URL such as bankofamerica.com — does not by itself guarantee that the site to whom you are connected is in fact the site of the Bank of America. Your browser relies on the site presenting a certificate, and a certificate authority certifying that the certificate really does belong to Bank of America. There are hundreds of these third party certificate authorities — Verisign is the one you are most likely to have heard of — and there is a protocol for those authorities themselves to be certified as reliable. If a certificate authority is issuing bogus certificates — “certifying” that the FBI is really Gmail, for example — then the impostor could read your email or banking transactions, and no one would be the wiser.

What else could the company, Packet Forensics, mean by promising to provide a “false sense of security”? Its answers to Wired, which called the company, certainly are not reassuring.

Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.

“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”

Good for Chris. It will be interesting to see how many worms come out of this can. For good summaries, read the Wired or EFF news items. But the paper itself is well written and does not require an advanced education to read.

One Response to “Is Your Bank’s Site Really Connected to Your Bank?”

  1. ???-??? Says:

    “Your browser relies on the site presenting a certificate, and a certificate authority certifying that the certificate really does belong to Bank of America.”
    Can more?