Skip to main content

Posts

Showing posts from May, 2014

eBay's Weak Security Architecture

Well eBay are in the news due to their breach of 145 million users' account details. There are a few worrying things about this breach, beyond the breach itself, that point to architectural issues in eBay's security.

The first issue is that a spokeswoman (according to Reuters) claimed "that it used 'sophisticated', proprietary hashing and salting technology to protect the passwords." This sounds very much like security through obscurity, which doesn't work. So, either they are using a proprietary implementation of a publicly known algorithm, or they have created their own. Both of these situations are doomed. As always, no one person can think of all the attacks on an algorithm, which is why we have public scrutiny. Even the best cryptographers in the world can't create new algorithms with acceptable levels of security every time. Do eBay have the best cryptographers in the world working for them? I don't believe so, but I could be wrong.

Also, if…