SSL certificates and "the most dangerous code in the world"

Discussion in 'other security issues & news' started by Baserk, Oct 27, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    From Heise Online;
    'Many programs that use encryption are not secure, according to researchers at the University of Texas at Austin and Stanford University.
    The researchers found that a number of e-commerce web applications, well-known instant messaging clients such as Trillian and AIM, and a long list of cloud services use ineffective encryption. They say that the libraries used for encryption are the main culprit.
    ...
    The research team conducted targeted man-in-the-middle attacks, presenting applications with three kinds of bogus certificates: a self-signed certificate with the correct name, a self-signed certificate with a random name and a certificate that was from a legitimate authority but issued to the domain AllYourSSLAreBelongto.us – hardly the correct domain. All three certificates managed to find trusting victims that accepted them.
    The researchers found these bugs in almost all kinds of applications, from messaging clients to critical business applications that transmit sensitive customer data via services like PayPal and Amazon Flexible Payments Service (FPS). Chase Bank's Android banking app proved to be vulnerable, as did Rackspace's iOS app for managing resources in the cloud. ...'
    link

    "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser SoftwarePDF" PDF link
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
Loading...
Thread Status:
Not open for further replies.