The Crypto Myth

For more than 15 years, we have been deluged with the idea that Internet encryption, SSL in particular, is sine qua non--an absolutely indispensable component of enterprise and e-commerce security. The argument goes like this: Because the Internet uses packet switching rather than circuit switching, our traffic is part of giant party lines--easily sniffed (eavesdropped, snooped, wiretapped) by almost anyone with a packet sniffer and a little ambition. Because most of us in the infosecurity community regard Internet encryption as a given, we, in turn, pester partners, end users and anyone else who will listen to make sure their browsers are in secure mode whenever transmitting sensitive information (address, credit card number, etc.).

On a more technical level, security geeks constantly remind us that the paltry 40-bit encryption in default browsers can easily be broken with an old desktop PC in one day. We should really use 56-, 64- or 128-bit encryption, they argue, because it would take a week of 1,000 computers (56 bit) or a century of all the computers on the planet (128 bit) to break.

Yes, data encryption is a fundamental concept in security, and I'd be a fool to say it's not important for many applications and in many environments. But all this brouhaha about Internet transaction encryption misses a much larger point: The risk of having your credit card number sniffed on the public 'Net is next to nothing. I'm not talking about sniffing on slow network segments or on a corporate subnet--where the risk is real--but rather on the public Internet.