I've always wondered just how serious a security issue this really is.

Compared to other problems such as bad session handling and general coding errors this is surely fairly trivial.

If I'm trying to get someone's personal details the the use of viruses and trojans seems to be a far better option. To intercept someone's traffic to a website I need to find somewhere along the route between their PC and the website in question where I can plug in my sniffer and then wait for them to connect. This is surely a very time consuming and difficult thing, and other methods would seem to be far easier.

If anything, the real value of SSL is to assure the user that the site they are connected to is what it claims to be.

The lack of SSL only marginally increases the user's risk of losing personal information compared to the multitude of much more likely ways these details will be exposed (not least HR people leaving their laptops lying on a tube train).

Atleast it save the US security services the bother of demanding data that has nothing to do with them.

They can just grab it as it floats past, like all the other data they grab and pass back to the UK services

----

To intercept someone's traffic to a website I need to find somewhere along the route between their PC and the website in question where I can plug in my sniffer

----

Could you not just point a packet sniffer at the website's IP address and intercept all traffic heading for port 80?

Whilst this is not a security risk from the likes of russian mafia or bored people in tailand or indonesia (due to the difficulty of packed snifffing) it is a problem to any one usng an wireless network. Sniffing packets on this will let you access passport data, and since the hacker will probably know where the target lives this gives them access to all sorts of data.

----

To intercept someone's traffic to a website I need to find somewhere along the route between their PC and the website in question where I can plug in my sniffer

----

Admittedly this would be tough to do against a home PC and a DSL link, but at work or a cybercaff or a library or anywhere using a shared IP subnet it's not too difficult.

In addition to the Cybercafes and other open networks, remember that most of the amazing population that makes up our fabled "Internet Users" are totally unable to secure their wifi properly. Its not really the website's fault if someone sniffs details off the customer's own wlan, but SSL is still just generally a good idea. I still agree that all those XSS and injection vulnerabilites are far worse.

- Nex

I'm sure there are lots of corrupt government officials in many countries who'd sell you a disk of visa applicant or landing card data with the details of a few million passport holders.

Of course modern technology makes this easier - it's a lot more useful getting a disk than a hundredweight of landing cards or filled out visa applications.

>> To intercept someone's traffic to a website I need to find somewhere along the route between their PC and the website

Like .. on a wireless connection? There's lots of hotspots (at the airport for example ;)) - and most of them make use of unencrypted links.

Apart from that - it is not a good idea to trust anyone between you and the merchant when it comes to credit card details.

So the real value of SSL isn't just to verify that the site is who it claims to be..

that said - xss and so on are of course also a problem

It might not be the worst possible problem, but it is irresponsible for the reasons already discussed, and could also betray a general laissez-faire attitude towards personal data... you know what they say - if the visible part of the restaurant is dirty, imagine what the kitchen is like!

Well its pretty trivial to find somewhere to do your sniffing, if you really want some tasty info. Open Wifi networks are the first thought. But here is something even more worrying. Think about the fact that most hotels have to have open wifi to save them the hassle of residents getting network keys. Of course they may/may not have the login page which activates their paid time on the hotel internet, but the underlying wifi is still unencrypted. If you couple that together with the fact that many people will be in hotels the night before, and will check in from there? oooopsss prime location! I would sit outside the Holiday Inn at heathrow with my laptop and surely have piss loads of passports numbers (and probably plenty of other stuff too).... And even if the link IS encrypted, it better be better than WEP. If you sniff out (passively) enough WEP-encrypted packets, it only takes a short time to figure out the key. You can then use this to de-encrypt ALL the packets you have captured... and get this.. AFAIK, its one hundred percent legal.. you haven't plugged your computer in to someones network, you haven't hacked into the network by entering the wireless password... you have merely captured what was voluntarily being transmitted through the air. Of course, the information thief can and WILL use this info for illegal purposes, and Ryanair therefore need to get this sorted out immediately! because this is an information thief's dream!