Significant portion of HTTPS Web connections made by forged certificates

Discussion in 'privacy technology' started by ronjor, May 11, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'm impressed, Facebook :thumb:
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Its a battle out here isn't it?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Indeed it is, and there are many players.

    This is a key quote from the article:
    In other words, for the most part it's security products that are breaking HTTPS security, in order to protect users. And network admins are breaking HTTPS in order to prevent employees from wasting time on Facebook ;)

    And then we have this:
    I am continually amazed by the importance of ads in all this. Given that I never see ads, it's easy to forget how heavily they have dominated Web economics.
     
  5. Splosh

    Splosh Registered Member

    Joined:
    Nov 19, 2012
    Posts:
    18
    I'd be more worried about government manufactured certificates with gag ordered CA signatures, the invisible adversary than blatant SSL MITM that rings every bell from Paris to Rome.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I am involved with several very private sites and like Wilder's they issue PRIVATE cert's where we don't have to rely on all the CA ~ Snipped as per TOS ~. I just don't have trust for the "cert authorities" because its tooooooooooo easy to get a bad actor in the mix. The site owner/Admin posts the cert ID at the top of the website with all pertinent fingerprints and then members can set their "watchdog software" to verify the FULL fingerprint before opening the site without fail. That is how I strongly prefer to conduct business and I wish that was how all sites went about it. I know its not going to happen. I am just glad that those I value and feel secure in do proceed that way. My two cents.
     
    Last edited by a moderator: May 12, 2014
  7. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    1 in 500 secure connections use forged certificate

    Researchers from Facebook and Carnegie Mellon University have published a paper (PDF) in
    which they show that out of a sample of over 3 million secure connections to Facebook, 0.2%
    used a forged SSL certificate.

    The number may seem small, but it is not insignificant, especially given the sheer volume
    of HTTPS connections made over the Internet every day.

    http://www.virusbtn.com/blog/2014/05_13.xml?rss
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Yes, but the "vast majority" of that 0.2% were not exploits. They involved "unauthorized" SSL certificates used by anti-malware apps and network firewalls for scanning HTTPS connections.

    Even so, it is disturbing. It further demonstrates just how broken HTTPS has become. As Palancar noted, self-signed certificates are the way to go for security. But that's not workable for most Web users.
     
Loading...
Thread Status:
Not open for further replies.