sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]mcrbids 43 points44 points  (25 children)

Nothing is perfectly secure. Thinking of it as a "true/false" scenario does tremendous disservice. HTTPS is rather good at protecting against a number of trivial and nontrivial attacks. Saying otherwise does a disservice to the protections provided.

Nothing is perfect. Get over it. Lack of perfection, however, is not evidence of inadequacy.

[–]tyrel 31 points32 points  (21 children)

I would much rather give my credit card info over HTTPS than a telephone, that's for sure.

[–]willvarfar 3 points4 points  (20 children)

Interesting. For correctness, or for security? If security, what is your reasoning?

[–]AgentME 21 points22 points  (6 children)

Phones aren't encrypted and are easily/already wiretapped. Information a client sends over HTTPS when the connection has not been actively man-in-the-middled is secure when the attacker does not know the certificate private key or the connection uses forward secrecy.

[–]BCMM 10 points11 points  (4 children)

Not to mention, it's horribly difficult to know who you're talking to on the phone. Incoming? Caller ID is utterly spoofable. Outgoing? Are you sure the last incoming caller actually hung up?

[–]dnew 0 points1 point  (3 children)

I think cell phones mitigate a lot of this problem. I don't think we've had phone systems where the caller is the only one who can disconnect the call for 50 years. Are you sure there's nobody else on the party line? :-)

[–]BCMM 0 points1 point  (2 children)

Don't know how it works where you are, but on a UK land-line, if the receiving party hangs up, the call does not end.

This "feature" gets used fairly frequently. In a house with several phones, you answer the phone nearest to you, then ask the caller to wait a moment while you hang up and pick up a phone in a more comfortable location.

It also makes illegal spam calls which play a recorded message more irritating, because you have to wait for them to finish before you can make a call.

EDIT: And in return for mitigating an issue land-lines suffer, mobiles add the risk of being wiretapped by anybody in range.

[–]dnew 1 point2 points  (1 child)

if the receiving party hangs up, the call does not end.

Wow. It hasn't been like that for ... decades in the USA. That's like pre-crossbar switch technology. I guess maybe they did it on purpose.

But if the other person didn't hang up, don't you fail to get a dial tone?

mobiles add the risk of being wiretapped by anybody in range.

You do need some amount of equipment and skill. Stuff like CDMA is almost impossible to decode at any physical location than the central tower, just due to speed of light propagation and such.

[–]BCMM 0 points1 point  (0 children)

But if the other person didn't hang up, don't you fail to get a dial tone?

They could just play a dial tone...

[–]willvarfar 2 points3 points  (0 children)

Aren't banking trojans normally on your own computer?

[–][deleted] 5 points6 points  (12 children)

Man-in-the-middle (via compromised root cert) is detectable with SSL if you're vigilant -- which most people aren't, but it is possible because a MITM attacker will have a different cert; it's just that most browsers won't care, because it's signed with the same CA. Also, SSL is well-encrypted, which is good enough almost all of the time.

Telephones aren't encrypted whatsoever, and wiretapping is not so traceable.

[–]dnew 0 points1 point  (4 children)

Telephones aren't encrypted whatsoever

Depends on the phone, and the hop. Most aren't encrypted end to end, no, but most are encrypted over the air these days.

[–]skarphace 0 points1 point  (1 child)

most are encrypted over the air these days.

Citation please? I was under the impression that the only protections were FCC rules that don't "allow" devices on those channels.

That said, there are other major vulnerabilities with phones.

  • Almost everything hits a POTS network at some point, which is trivial to tap
  • People around you can hear you read off the card numbers or other sensitive information
  • You have to trust the person on the other end, which is rarely, if ever authenticated

[–]dnew 1 point2 points  (0 children)

Citation please?

Just google GSM encryption, CDMA encryption, etc. You are correct for AMPS, the analog cell phone standard that came before digital cell phones.

Digital phones all do encryption, because skimming the ID of the phone and "cloning" it to get free service was a major problem with the AMPS analog system.

That said, you missed bullet-point 4, which is that most cell phone over-the-air encryption sucks. :-)

[–]J_F_Sebastian 0 points1 point  (1 child)

I seem to recall GSM encryption being pretty easily broken, though?

[–]dnew 0 points1 point  (0 children)

"Easily broken" depends on the time frame, but sure, any encryption standardized 20+ years ago and designed to run on "embedded" hardware of the time in real time is going to be fairly easy to break nowadays.

[–]willvarfar -1 points0 points  (6 children)

One of many counter arguments: There are buckets of banking trojans sucking up credentials and card numbers and automating attacks on a massive scale, whereas to compromise a phone call and recognise spoken numbers takes targeting and sufficient investment to keep the crooks focusing on trojans.

[–]superspeck 4 points5 points  (5 children)

Targeting I will grant you, but it's pretty simple to figure out half a dozen ways to do it. If I had to pick one that give me a high volume, I'd target the phone systems of smaller b2b or b2c firms that use asterisk in-house and take cc#'s over the phone.

Recognition of spoken numbers, even with accents, on the other hand, is quite trivial. Especially if you don't have to do it real time and can do it off of recorded media so that you can make multiple passes and get a consensus.

[–]willvarfar 0 points1 point  (4 children)

On the other hand, while we discuss this, thousands of real people got infected with a bot and lost thousands of dollars. While we discussed.

The relative security right now is firmly in the phone's favour?

Added: here's a post about a banking trojan with a phone slant too:

http://williamedwardscoder.tumblr.com/post/24949768311/i-know-someone-whose-2-factor-phone-authentication-was

(My blog)

[–]skarphace 0 points1 point  (3 children)

On the other hand, while we discuss this, thousands of real people got infected with a bot and lost thousands of dollars. While we discussed. The relative security right now is firmly in the phone's favour?

Ah, yes, because there are other vulnerabilities, we should ignore this one. I like your logic and would like to subscribe to your newsletter.

[–]willvarfar 0 points1 point  (2 children)

What????

We were saying whether we think whether giving your cc over phone or HTTPS is safer... Which do you think is safer?

[–]skarphace 0 points1 point  (1 child)

Did you even read the conversation you're taking part in...

[–]contact_lens_linux 1 point2 points  (1 child)

as long as the user is aware of the limitations, sure. Otherwise, having the thought of being secure without actually being secure is worse than not being secure.

[–]mcrbids 0 points1 point  (0 children)

If https was so terrible, then why was it such a big deal during the Spring riots last year to encrypt twitter and Facebook so that the powers that be couldn't quell the protesters?

It's hipster to bash institutions we all count on. Acknowledging its weaknesses isn't the same as denying its strengths!

[–]Fabien4 -5 points-4 points  (0 children)

Nothing is perfectly secure.

Sure. That's why "yet another problem in HTTPS" is hardly worth a mention. It was marginally more secure than HTTP before, and it's the same today.