Potential SSL/TLS Vulnerability Status of Major Ecommerce Sites

by: admin - June 21st, 2011   Filed under: Safety, Security, Tech News Add Comment

In November 2009, a major flaw was revealed in the primary protocol used to secure the Web.

The flaw, named CVE-2009-3555 is well understood and can allow a hacker to perform a secure transaction using a victim’s credentials. Real web applications have been hacked using this flaw.

Smart people have developed a fix, the name of the fix is RFC 5746.

Many Internet Browsers have been upgraded to support this fix. Unfortunately, fixing the browsers is not sufficient. The fix only works, if web sites are upgraded, too.

Unfortunately, many major sites on the Web have not yet upgraded their software.

Read on…

[Sigh. Why don't admins fix the problem when a solution is already in place?]

VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Download article as PDF
Tags: , , ,

Mozilla Debates Whether to Trust Chinese CA

by: admin - February 18th, 2010   Filed under: Security, Tech News Add Comment

Sometimes geeky technical details matter only to engineers. But sometimes a seemingly arcane technical decision exposes deep social or political divisions. A classic example is being debated within the Mozilla project now, as designers decide whether the Mozilla Firefox browser should trust a Chinese certification authority by default.

Here’s the technical background: When you browse to a secure website (typically at a URL starting with “https:”), your browser takes two special security precautions: it sets up a private, encrypted “channel” to the server, and it authenticates the server’s identity. The second step, authentication, is necessary because a secure channel is useless if you don’t know who is on the other end. Without authentication, you might be talking to an impostor.

Read on…

VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Download article as PDF
Tags: , ,

iPhone Certificate Flaws

by: admin - February 3rd, 2010   Filed under: Apple, Security, Tech News Add Comment

The iPhone is obviously a consumer market product which was later enhanced to become an enterprise device. Unfortunately, it seems Apple messed up their corporate-oriented functionality, ending up with something that proves to be hard to integrate in a public-key infrastructure in any secure way.

The following page summarizes our findings in terms of chain-of-trust management on iPhones, describes a major security flaw and how we could cope with the current situation (Jan 2010).

Read on…

VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Download article as PDF
Tags: , ,

Botnet Sends Fake SSL Pings to CIA, PayPal, Others

by: admin - February 2nd, 2010   Filed under: Safety, Security, Tech News Add Comment

In attempt to hide the location of its command-and-control server, the Pushdo botnet has been instructing its infected zombie computers to send fake SSL (Secure Sockets Layer) connections to major Web sites, a botnet expert said on Monday.

The strange traffic targeting the Web sites–including sites for the CIA, FBI, PayPal, Yahoo, and Twitter, according to a list at the Shadow Server Foundation–was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.

Read on…

VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Download article as PDF
Tags: , ,

Researcher Busts into Twitter via SSL Reneg Hole

by: admin - November 15th, 2009   Filed under: Safety, Security, Tech News Add Comment

A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol.

The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. When the flaw surfaced last week, many researchers dismissed it as an esoteric curiosity with little practical effect.

Read on…

VN:F [1.9.17_1161]
Rating: 0.0/10 (0 votes cast)
Download article as PDF
Tags: , ,