Thursday, July 16, 2009

Is SSL broken?

I was reading Network World and for a very brief moment was alarmed to learn that SSL is not secure and that Tim Greene recommends (or is he quoting the researchers opinion?) that people should not use public wifi even for SSL-safe browsing.

[Network World article says "SSL VPN..." although the threat if real should apply to non-VPN uses of SSL as well and the examples cited are for online banking and most people won't call an SSL connection to their bank an SSL VPN. SSL VPN is the extension on an "intranet" over the internet using SSL to secure it]

Then I found the this article that seems to have slightly more data. I havn't seen the demonstration but I have a suspicion that this is much ado about nothing. It seems the flaw is that if parts of the page are EV SSL and other parts are not EV SSL the browser does not complain as long as the domain is the same. (The part is bold is my assumption but if it is true, there is nothing to worry about. If my assumption is not true all hell will break loose, public Wifi or not!). I think all parts are not EV SSL because the site owner did not want to shell out extra money for EV SSL certificates for every sub-domain. This makes sense, because EV SSL is pretty much useless and I don't understand why the website got an EV SSL certificate at all!

If you read this and know that my assumption above is false, please comment and let me know. I should stop using the internet!

Update 3.11pm: Found the abstract here: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html

[scroll down to find "Alexander Sotirov, Mike Zusman
Breaking the security myths of Extended Validation SSL Certificates" ]

My assumption is valid. SSL is still secure. Their point is that EV SSL is not more secure than cheapo SSL.

"Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate"

We already know that is true...this is one more reason and makes it "truer", if that is possible :-)

Wednesday, July 15, 2009

How safe is your Twitter account?

Twitter has been successfully hacked several times but the most egregious of them all is the breakin that compromised Twitter's own employee and other confidential information. I don't use Twitter but I am concerned about the security of other major social networks like Facebook, Orkut etc; frankly, I don't think they are much better. In the race to capture more and more users social networking websites and applications often ignore security and privacy issues. This is because these issues are considered an economic externality by these companies. In that respect, the information age is a bit like the early industrial era where corporations ignored the impact of their factories on the environment. We need laws that "internalize" these externalities. But given the focus of the government on the economic crisis, health reform and other issues, will this important issue be addressed?