07-31-2009, 08:31 AM
A little something to brighten your Friday morning. 
full article:
http://www.informationweek.com/blog/main..._from.html
Quote: No edition of the Black Hat conference would be complete without a few security bombshells; The ones where attendees learn that a huge swath of their digital security -- previously thought to be totally secure -- is little more than a house of cards that, thanks to some Black Hat researcher, just came tumbling down. Here in Las Vegas, Moxie Marlinspike is one of those researchers and he's here demonstrating how SSL is that house of cards. Think your implementation of SSL is secure? Think again. It's time to go back to square one.
According to Marlinspike, it's not the SSL protocol -- the protocol used for the secure form of the Web (https) -- that's the problem. It's the majority of the implementations that are utterly insecure. This includes most of the major banks, email systems, social networking sites, and so on. Even most software update mechanisms...
The glaring example is where 90 percent of your experience on some shopping site is over HTTP until the time comes to actually pay. Only then, does the shopping site send you back a page with HTTPS links on it. Everyone looks for the padlock in their browsers (these days, padlocks appear all over the place so they're useless anyway) and thinks "OK, the next thing I click on is secure. I'm good."
Think again...
full article:
http://www.informationweek.com/blog/main..._from.html