NetSec has published a very interesting presentation about Defeating SSL In Practice from the blackhat confenrece.
I found that a very interesting reading. It also got me thinking about our software indicators.
Filed under Uncategorized
It made me think about how I do things, and Im now adding new feature to a web app that I’m creating that indicates when it is inside a ssl and when it is not, and you can effect it only by using the SSL version…
Well, this sslstrip stuff proves one point I’ve been making all this time: it’s of no use to draconianly fail on invalid SSL certs as long as you allow HTTP through with no warning, as HTTP is even less secure than HTTPS with an invalid cert.
That said, I shudder at the thought of what an Internet controlled by the SSL CA oligopoly, where all HTTP or self-signed HTTPS traffic would be banned, would look like. 😦
Thanks for posting this, Lior.
One thing i find interesting in the presentation is that the majority of the attacks seemed to exploit human interface factors (e.g. providing a lock symbol as a favicon), rather than exploiting strictly technical elements of the infrastructure (like signing end-entity X.509 certificates with other end-entity certificates).
While the latter attacks justifiably get the most technical attention (because users have *no way* of defending against them), the attacks against human interface are even more worrisome to me, because they indicate that our tools are simply not intuitively comprehensible to the end users, and therefore cannot protect those users against a network compromise. How can we make the tools more intuitive without making them excessively noisy?
Kevin Kofler’s suggestion of visibly deprecating *all* HTTP traffic is a drastic (yet intriguing) proposal. It makes me wonder what such a user interface (and network) would look like. It also makes me wonder about how one would distribute authenticated-yet-non-secret traffic on such a network in ways that would facilitate caching and other optimizations.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.