Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.


Forgot your password?

+ - Lots of man-in-the-middle vulnerabilities-> 1

Submitted by Anonymous Coward
An anonymous reader writes "In a recent study researchers from Stanford and U.T.Austin discovered that many popular applications break or disable certificate validation when using HTTPS. As a result their HTTPS connections are not properly authenticated making them vulnerable to man-in-the-middle attacks. Their FAQ gives a brief overview of the issue."
Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Lots of man-in-the-middle vulnerabilities

Comments Filter:
  • by Spazmania (174582) on Thursday October 18, 2012 @05:07PM (#41699231) Homepage

    The authors may understand encryption but they don't understand security.

    Even with the suggested fix, the plain text data is still vulnerable to spyware on the endpoints and a dozen other attack vectors.

    Without the suggested fix, unsigned encryption is still more secure than plain text. Vulnerable to man in the middle? Yes. Vulnerable to a sniffer? No. Merely encrypting it without validating signatures still cuts of a large number of attack vectors.

    Security is not about the one true and flawless design. It's about striking the right balance between maximizing utility and minimizing usable attack vectors. For some data flows, man-in-the-middle is an acceptable trade off for not having to manage certificates.

What is mind? No matter. What is matter? Never mind. -- Thomas Hewitt Key, 1799-1875