Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
From the ‘think SSL is secure?‘ files:
WASHINGTON D.C We all rely on SSL and HTTPS to secure our web transactions. That’s why Moxie Marlinspike’s session at Black Hat DC on SSL/HTTPS attacks just blew my mind and has me ‘concerned’ to say the least.
Marlinspike demonstrated how a new tool he has developed called sslstrip - can trick browsers into thinking they are on an SSL/HTTPS secured site when in fact they are not.
The implication is that all the traffic from the regular HTTP site could then be easily collected by an attacker since the information is not secured.
“Lots of time the security of HTTPS comes down to the security of HTTP and HTTP is not secure,” Marlinspike told the capacity crowd.
Marlinspike is no stranger to getting around SSL security. In 2002 he released the -sslsniff - tool that could be used in a man in the middle attack to inject an illegitimate SSL certificate into an HTTP stream, tricking a user into thinking they were on an the legitimate SSL secured site (when in fact they were not).
So how do you protect yourself? Read more after the jump.
As for how to protect against sslstrip Marlinspike didn’t have many ideas - but those in the audience did.
Among them was noted DNS security researcher Dan Kaminsky who suggested that DNSSEC could be used to validate a domain and perhaps force users to use the legitimate SSL/HTTPS secured version.
In response to a question I asked Marlinspike about what browser vendors should do he responded:
“Browser vendors cannot make HTTP more secure, it’s too late for that. When you have a secure protocol that relies on an insecure protocol than just attack the insecure.”
He added however that their is an answer but it’s not one that he thinks will actually happen.
“The answer is to just encrypt everything.”
HAVANA (Reuters) - Cuba launched its own variant of the Linux computer operating system this week in the latest front of the communist island’s battle against what it views as U.S. hegemony.
The Cuban variant, called Nova, was introduced at a Havana computer conference on “technological sovereignty” and is central to the Cuban government’s desire to replace the Microsoft software running most of the island’s computers.
The government views the use of Microsoft systems, developed by U.S.-based Microsoft Corp, as a potential threat because it says U.S. security agencies have access to Microsoft codes.
Also, the long-standing U.S. trade embargo against the island makes it difficult for Cubans to get Microsoft software legally and to update it.
“Getting greater control over the informatic process is an important issue,” said Communications Minister Ramiro Valdes, who heads a commission pushing Cuba’s migration to free software.
Cuba, which is 90 miles from Florida, has been resisting U.S. domination in one form or another since Fidel Castro took over Cuba in a 1959 revolution.
Younger brother Raul Castro replaced the ailing 82-year-old leader last year, but the U.S.-Cuba conflict goes on, now in the world of software.
According to Hector Rodriguez, dean of the School of Free Software at Cuba’s University of Information Sciences, about 20 percent of computers in Cuba, where computer sales to the public began only last year, are currently using Linux.
Nova is Cuba’s own configuration of Linux and bundles various applications of the operating system.
Rodriguez said several government ministries and the Cuban university system have made the switch to Linux but there has been resistance from government companies concerned about its compatibility with their specialized applications.
“I would like to think that in five years our country will have more than 50 percent migrated (to Linux),” he said.
Unlike Microsoft, Linux is free and has open access that allows users to modify its code to fit their needs.
“Private software can have black holes and malicious codes that one doesn’t know about,” Rodriguez said. “That doesn’t happen with free software.”
Apart from security concerns, free software better suits Cuba’s world view, he said.
“The free software movement is closer to the ideology of the Cuban people, above all for the independence and sovereignty.”
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void (Default)
Life
Earth
Wind
Water
FireLightweight
Last 50 Posts 
Back