Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Lots of man-in-the-middle vulnerabilities (google.com) 1

An anonymous reader writes: In a recent study researchers from Stanford and U.T.Austin discovered that many popular applications break or disable certificate validation when using HTTPS. As a result their HTTPS connections are not properly authenticated making them vulnerable to man-in-the-middle attacks. Their FAQ gives a brief overview of the issue.
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Lots of man-in-the-middle vulnerabilities

Comments Filter:
  • by Spazmania (174582) on Thursday October 18, 2012 @06:07PM (#41699231) Homepage

    The authors may understand encryption but they don't understand security.

    Even with the suggested fix, the plain text data is still vulnerable to spyware on the endpoints and a dozen other attack vectors.

    Without the suggested fix, unsigned encryption is still more secure than plain text. Vulnerable to man in the middle? Yes. Vulnerable to a sniffer? No. Merely encrypting it without validating signatures still cuts of a large number of attack vectors.

    Security is not about the one true and flawless design. It's about striking the right balance between maximizing utility and minimizing usable attack vectors. For some data flows, man-in-the-middle is an acceptable trade off for not having to manage certificates.

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre