Kim Holburn wrote: > http://arstechnica.com/security/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users/ > >> SSL is the cornerstone of secure Web browsing, enabling credit card and bank >> details to be used on the 'Net with impunity. We're all told to check for >> the little padlock in our address bars before handing over any sensitive >> information. SSL is also increasingly a feature of webmail providers, >> instant messaging, and other forms of online communication. >> >> Recent discoveries by Wired and a paper by security researchers Christopher >> Soghoian and Sid Stamm suggests that SSL might not be as secure as once >> thought. Not because SSL itself has been compromised, but because >> governments are conspiring with Certificate Authorities, key parts of the >> SSL infrastructure, to subvert the entire system to allow them to spy on >> anyone they wish to keep tabs on.
The man in the middle attack (MIM) has been known about and demonstrated for many years. Given gummint's insatiable need to snoop, isn't it time that browser technology began deploying methodologies to twhart MIM attacks? But given the unreasonable influence the military-industrial complex has over technologies and policies in their own favour (viz the recent discussion on contactless payment cards), I doubt that these mitigating technologies will ever be deployed. It is not in their interest to do so. A web search for "mitigating man in the middle attacks" shows that there are many proposed solutions to make it so. It also takes the will to do so. Here is but one simple solution: http://dl.acm.org/citation.cfm?id=1812632 "In this paper, we have proposed and implemented a novel approach to solve MITM over SSL which uses the genuine website URL. To tackle such attacks we propose hashing the user password with the public key of the server's digital certificate. This approach beats the MITM, since the MITM receives the hash of the original password which cannot be reused. We prove our concept with a browser plugin." cheers rickw -- ------------------------------------ Rick Welykochy || Vitendo Consulting The chief source of problems is solutions. -- Eric Sevareid _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
