Lots of man-in-the-middle vulnerabilities

Slashdot

+ - Lots of man-in-the-middle vulnerabilities-> 1

Submitted by Anonymous Coward on Thursday October 18, 2012 @01:28PM

An anonymous reader writes "In a recent study researchers from Stanford and U.T.Austin discovered that many popular applications break or disable certificate validation when using HTTPS. As a result their HTTPS connections are not properly authenticated making them vulnerable to man-in-the-middle attacks. Their FAQ gives a brief overview of the issue."
Link to Original Source

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Lots of man-in-the-middle vulnerabilities

Load All Comments

Search 1 Comments Log In/Create an Account

Comments Filter:

Misunderstood (Score:3)

by Spazmania (174582) writes: on Thursday October 18, 2012 @06:07PM (#41699231) Homepage

The authors may understand encryption but they don't understand security.
Even with the suggested fix, the plain text data is still vulnerable to spyware on the endpoints and a dozen other attack vectors.
Without the suggested fix, unsigned encryption is still more secure than plain text. Vulnerable to man in the middle? Yes. Vulnerable to a sniffer? No. Merely encrypting it without validating signatures still cuts of a large number of attack vectors.
Security is not about the one true and flawless design. It's about striking the right balance between maximizing utility and minimizing usable attack vectors. For some data flows, man-in-the-middle is an acceptable trade off for not having to manage certificates.

Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

He keeps differentiating, flying off on a tangent.

Lots of man-in-the-middle vulnerabilities More Login

Lots of man-in-the-middle vulnerabilities

Misunderstood (Score:3)