5 things you need to know about SSL
Here's a quick and dirty guide to SSL/TLS, one of the most important technologies for securing data on the Internet.
Here's a quick and dirty guide to SSL/TLS, one of the most important technologies for securing data on the Internet.
Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors, most notably Cisco Systems and Juniper Networks.
From this Monday (17 March) some Xtra email users may need to change their account settings before they can access their email accounts on third party email clients, as Yahoo and Telecom apply an additional encryption setting to Yahoo Xtra email.
Telecom will be contacting select Xtra email users from today as, together with service provider Yahoo, it applies security enhancements to the Xtra email platform.
The popular services of Google, Facebook and Twitter are improving in terms of security, says Scott Behrens, head of Neohapsis Labs, which took a security snapshot of them on May 28 through an analysis that included looking at server headers sent during responses to the websites.
Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices.
Often called the "father of SSL" due to his role as a cryptographer at Netscape Communications where in the mid-'90s he helped bring SSL encryption to the Web, Dr. Taher Elgamal now travels the Middle East as an IT consultant and project coordinator for business and government there.
With all the publicity about breaches of <a href="http://www.networkworld.com/news/2011/081811-ssl-249874.html">SSL certificate authorities</a> and a hack that exploits a vulnerability in the supposedly secure protocol, it's time to consider something else to protect Internet transactions. If only there were something else to turn to.
The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that.
SSL/TLS, the protocol that protects <a href="http://www.networkworld.com/topics/security.html">security</a> of e-commerce, has taken a beating lately, with news items ranging from the violation of certificate authorities to the discovery of an exploit that beats the protocol itself.
Microsoft is urging customers to update vulnerable versions of SSL to a newer one that is not susceptible to a recently published exploit called BEAST, but in the meantime it recommends steps that lessen the risk of being victimized.
Only a handful of exploits per decade reveal a vulnerability that is truly significant. Thai Duong and Juliano Rizzo's BEAST (Browser Exploit Against SSL/TLS) attack will rank among them because it compromises the SSL and TLS browser connections hundreds of millions of people rely on every day.
BEAST cannot break the latest version of TLS — the current standard based on SSL — but most browsers and nearly all websites that support secure connections rely on earlier versions of the SSL and TLS protocols, which are vulnerable to BEAST attack. Browser vendors and websites that host secure connections are already scrambling to upgrade to TLS 1.1 or 1.2. How quickly that occurs depends on how many attacks occur in the wild.
The BEAST tool, presented last Friday at the 2011 Ekoparty Security Conference in Argentina, made real a theoretical SSL/TLS vulnerability first documented 10 years ago. It allows an attacker with previous MitM (man-the-middle) access to compromise a user's SSL/TLS-protected HTTPS cookie. This would allow an attacker to hijack the victim's active HTTPS-protected session or listen in on the previously cryptographically protected network stream. (Download Duong and Rizzo's paper on the BEAST attack [pdf])
MitM attacks are fairly easy to do when the attacker and victim are located on the same local network (such as wireless networks, VPNs, or corporate LANs). Some hacking tools, such as Cain & Abel, make MitM attacks and network packet sniffing truly a click of a button.
An old flaw turns critical
SSL, the encryption scheme that protects virtually all secure online transaction, requires that users rely on trusted third parties, but what if they can't be trusted?
A new <a href="http://www.networkworld.com/news/2011/033011-usenix-ssl-offloader.html">SSL</a> certificate authority squeezes so much overhead out of supplying certs that it plans to give them away starting next month and to continue at least through the end of the year.
Off-the-shelf graphic processing units can perform <a href="http://www.networkworld.com/news/2011/032611-in-iran-new-attack-escalates.html">SSL acceleration</a> as fast as high-end commercial SSL hardware at a fraction of the cost, according to researchers in Korea and the U.S.