explained the other day that HTTPS connections provide extra security for connections, but beware, they are not infallible.
Big Internet: attacked
a couple of days ago, Jacob Appelbaum, creator of interesting draft TOR online anonymity and researcher security, complained that he had discovered an attack MAN-IN-THE-MIDDLE that had affected affecting large companies like Google or Yahoo. Using a false certificate, a server was receiving Iranian private keys that encrypt the passwords as well as the other packages so it could remove them.
The attack was solved without being made public, through updates on the major browsers to not accept these certificates.
openly and
COMODO, a company dedicated to computer security services (antivirus, firewalls) and provider of SSL certificates, the certifier supplanted, apparently from a server Iranian published information about the attack on 15 March by a blog post ( available here.) 8 days after the attack.
HTTPS is not infallible
The fact that browsers have certificate lists unauthorized is evidence that these attacks are occurring continuously .
short cut mode is certainly worrying, since they depend on an update to the browser by the user, update is not forced in any way but merely recommended. Ie users can be exposed for a long time.
seems that the method of certificate revocation lists, which in any case should have been included in a software update, as if it were a mistake rather than an attack, not convinced security experts . In fact, if the cracker is capturing packets from the user, in all browsers get the keys privadas.Es say, the attack directed (as opposed to random and in any case the most dangerous) do not avoid using these techniques.
Certification proliferation not help, The EFF SSL Observatory has reported the existence of 650 authorized certifying suspects Microsoft and Mozilla.
The main problem may be that the solution is that the certificates have long lifetimes (1 year or more.) If this was a few days to minimize the risks for a small inconvenience to the user (acceptance of certificates). So the landscape is doomed to change, I hope.
Meanwhile, use a VPN or TOR for our vital connections can not be a bad idea.
About:
0 comments:
Post a Comment