Tuesday, November 30, 2004
"Optimize your Internet connection"?
There's a service called MarketScore that promises to speed up your web browsing. It comes bundled with file sharing software from iMesh. They offer to store popular web pages on their own computers which then pass the popular pages along to you. They do this without your knowing about it: you just type in the same web address you always use, and they make it go to their computer instead of going straight to the one you had in mind.
So far, so good. That kind of service is called a "proxy", and you may be using one already without knowing it. There are some mild privacy implications, if you don't want the proxy operator to know that you visited asiangirlsincombatboots.com.
MarketScore is doing something unusual, though. They're also sitting in the middle of "secure" transactions (like sending your credit card number) and are able to see the contents. You can check that the little padlock appears at the bottom right of your browser window, you can double-check that the Web address begins with "https" instead of "http", but you can still be exposing your credit card number to a stranger.
How's that possible? Your credit card number is supposed to be electronically scrambled ("encrypted") so that eavesdroppers can't get it before it gets to where it's going. And it is, but there's one more step to keeping your credit card number out of unfriendly hands. You have to be sure you're really talking to the online store and not somebody else. Otherwise that somebody else will get your credit card number securely transmitted to them. That's what MarketScore is doing. Then they pass the information along to the real merchant, you get what you ordered and all is well. In theory.
MarketScore is doing something that should be technically impossible. If you want to impress your friends, call it an "SSL Man in the Middle Attack". Part of what makes a transaction "secure" is that the web site you're talking to has to prove who they are. Unfortunately the software which checks who you're talking to isn't what it should be. It can be fooled easily by a simple change to your browser settings, a change which MarketScore makes.
As far as I know MarketScore is perfectly honest. I'm not accusing them of peddling spyware. But how secure are their computers? Amazon.com has a good track record handling our credit card numbers, but how do we know MarketScore won't get compromised?
|
So far, so good. That kind of service is called a "proxy", and you may be using one already without knowing it. There are some mild privacy implications, if you don't want the proxy operator to know that you visited asiangirlsincombatboots.com.
MarketScore is doing something unusual, though. They're also sitting in the middle of "secure" transactions (like sending your credit card number) and are able to see the contents. You can check that the little padlock appears at the bottom right of your browser window, you can double-check that the Web address begins with "https" instead of "http", but you can still be exposing your credit card number to a stranger.
How's that possible? Your credit card number is supposed to be electronically scrambled ("encrypted") so that eavesdroppers can't get it before it gets to where it's going. And it is, but there's one more step to keeping your credit card number out of unfriendly hands. You have to be sure you're really talking to the online store and not somebody else. Otherwise that somebody else will get your credit card number securely transmitted to them. That's what MarketScore is doing. Then they pass the information along to the real merchant, you get what you ordered and all is well. In theory.
MarketScore is doing something that should be technically impossible. If you want to impress your friends, call it an "SSL Man in the Middle Attack". Part of what makes a transaction "secure" is that the web site you're talking to has to prove who they are. Unfortunately the software which checks who you're talking to isn't what it should be. It can be fooled easily by a simple change to your browser settings, a change which MarketScore makes.
As far as I know MarketScore is perfectly honest. I'm not accusing them of peddling spyware. But how secure are their computers? Amazon.com has a good track record handling our credit card numbers, but how do we know MarketScore won't get compromised?
# posted by Frederick @ 7:01 PM Email to a friend:
Haloscan: they provide trackback