Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


+ - Lots of man-in-the-middle vulnerabilities-> 1

Submitted by Anonymous Coward
An anonymous reader writes "In a recent study researchers from Stanford and U.T.Austin discovered that many popular applications break or disable certificate validation when using HTTPS. As a result their HTTPS connections are not properly authenticated making them vulnerable to man-in-the-middle attacks. Their FAQ gives a brief overview of the issue."
Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Lots of man-in-the-middle vulnerabilities

Comments Filter:
  • by Spazmania (174582) on Thursday October 18, 2012 @06:07PM (#41699231) Homepage

    The authors may understand encryption but they don't understand security.

    Even with the suggested fix, the plain text data is still vulnerable to spyware on the endpoints and a dozen other attack vectors.

    Without the suggested fix, unsigned encryption is still more secure than plain text. Vulnerable to man in the middle? Yes. Vulnerable to a sniffer? No. Merely encrypting it without validating signatures still cuts of a large number of attack vectors.

    Security is not about the one true and flawless design. It's about striking the right balance between maximizing utility and minimizing usable attack vectors. For some data flows, man-in-the-middle is an acceptable trade off for not having to manage certificates.

"I have not the slightest confidence in 'spiritual manifestations.'" -- Robert G. Ingersoll