----- Original Message ----- From: "Emerald Lass" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 25, 2008 12:24 PM Subject: handygirl Fw: Google making SSL changes, other sites quiet
> > ----- Original Message ----- > From: Kevin > To: Kev McTiernan > Sent: Monday, August 25, 2008 9:49 AM > Subject: Google making SSL changes, other sites quiet > > > August 22, 2008 3:41 PM PDT > Google making SSL changes, other sites quiet > Posted by Elinor Mills 13 comments > a.. Share > a.. Digg > b.. Del.icio.us > c.. Reddit > d.. Facebook > b.. Email > c.. Print > A security researcher has been in discussions with Google on an > exploit he plans to release that would allow a hacker to easily intercept > someone's communications with supposedly secure Web sites over an > unsecured Wi-Fi network, but other sites, like Facebook, Yahoo Mail, and > Hotmail, remain vulnerable. > > > Mike Perry, a reverse engineer and developer at Riverbed Technology, > says he announced on the BugTraq e-mail list a year ago a common flaw with > the way Web sites implement the SSL (Secure Sockets Layer) protocol that > is designed to protect people's data when they surf the Web. Typically, > they only use SSL for encrypting communications during the log-in stage, > he says. > > There are actually two problems with SSL implementations. The first > issue is that many sites do not use SSL past the log-in page, and thus > expose their users' cookies to theft via sniffing by someone else on the > network. A tool exploiting this flaw was released last year by Robert > Graham of Errata Security, at the same time Perry announced his flaw. > > Session cookies--which identify the machine as having used the > correct username and password--have two modes: "secure" or "insecure." The > vulnerability disclosed by Perry targets sites that attempt to use SSL, > but do not flag their cookies as "secure." This flaw allows the cookies to > be obtained by an attacker with access to the local network, and use them > to pose as the Web surfer and access that person's e-mail accounts, bank > accounts and other services, even if those users try to use https, Perry > says. > > Nothing was done to fix the SSL problems until a month ago when > Google announced that people can set Gmail to automatically encrypt > communications between a browser and Gmail servers by default, instead of > having to type in https://mail.google.com, Perry says. > > However, accessing the site via https://mail.google.com does not > automatically preserve the "secure" session and the cookies can still be > stolen, Perry says. > > He says he has contacted security representatives at Hotmail, Yahoo > Mail, and Facebook about the fact that their sites remain vulnerable to a > so-called "man-in-the-middle attack" in which someone on the same Wi-Fi > network hijacks the session cookies that are transmitted between a user's > browser and a Web site. As of Friday afternoon, he hadn't heard back from > them, he said. > > Representatives at Microsoft and Yahoo said they were working on > getting comment, while representatives at Facebook did not respond to > e-mails or a phone message from CNET News seeking comment. > > Amazon encrypts communications related to payment but not purchase > history and recommendations, according to Perry. An Amazon spokeswoman > said the company does not comment on security measures. > > Perry had planned to release his exploit tool, which automates the > hijacking of the cookies, on Sunday--which will be two weeks after he gave > a talk about the vulnerabilities at the Defcon hacker conference in Las > Vegas. There is already another exploit out there that targets the same > problem, he says. > > "The motivation is to raise awareness and try and encourage these > sites to adopt SSL and do it properly," he said in an interview on Friday. > > Delaying release of the tool > But, Perry said he has decided to delay releasing the tool for an > undetermined time after talking to Google. > > Google is the only one of the major Web sites to offer users the > option of setting auto-encryption for all the communications with the site > and not just the log-in page, as well as to properly set the "secure" > property of its cookies, Perry says. > > Google says it is rolling out the option not just for consumer Gmail > users, but also for Google Apps enterprise users and has launched it for > the premier edition of Google Apps so that communications with Google > Docs, Calendar, and other included Google sites are encrypted. > > It is also very possible that Google will make it so that the "always > encrypt" mode is automatically enabled when people first log in via > "https://gmail.google.com"; instead of having to go into settings and > enable it manually, Perry says. > > "Just about everyone but Google simply does not want to spend the > money to invest in the security of their users, and will continue to > ignore this issue, just as they have for the past year," Perry wrote in an > e-mail. > > The vulnerability affects people using unsecured wireless networks > and would require the attacker to be using the same network at the same > time. However, it could affect people on other types of networks if it > were to be combined with other attacks, such as ones taking advantage of a > recently discovered domain name system hijacking exploit that any Web > surfer could be exposed to, or more elaborate attacks involving modified > DSL or cable modems, which were also discussed at Defcon, Perry says. > > Perry goes into more details about the problems and his plans on his > blog. > > Topics: > Vulnerabilities & attacks > Tags: > security, > SSL, > browsers > > > > "Always Remember 9/11/2001" > "God Bless America!" > > > > [Non-text portions of this message have been removed] > > > ------------------------------------ > > Yahoo! Groups Links > > <*> To visit your group on the web, go to: > http://groups.yahoo.com/group/blindhandygirl/ > > <*> Your email settings: > Individual Email | Traditional > > <*> To change settings online go to: > http://groups.yahoo.com/group/blindhandygirl/join > (Yahoo! ID required) > > <*> To change settings via email: > mailto:[EMAIL PROTECTED] > mailto:[EMAIL PROTECTED] > > <*> To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] > > <*> Your use of Yahoo! Groups is subject to: > http://docs.yahoo.com/info/terms/ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.138 / Virus Database: 270.6.7/1632 - Release Date: 8/25/2008 > 7:05 AM > > --~--~---------~--~----~------------~-------~--~----~ Access the Recipes And More list archives at: http://www.mail-archive.com/recipesandmore%40googlegroups.com/ Visit the group home page at: http://groups.google.com/group/RecipesAndMore -~----------~----~----~----~------~----~------~--~---
