Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Submission + - Lots of man-in-the-middle vulnerabilities ( 1

An anonymous reader writes: In a recent study researchers from Stanford and U.T.Austin discovered that many popular applications break or disable certificate validation when using HTTPS. As a result their HTTPS connections are not properly authenticated making them vulnerable to man-in-the-middle attacks. Their FAQ gives a brief overview of the issue.
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Lots of man-in-the-middle vulnerabilities

Comments Filter:
  • by Spazmania ( 174582 ) on Thursday October 18, 2012 @05:07PM (#41699231) Homepage

    The authors may understand encryption but they don't understand security.

    Even with the suggested fix, the plain text data is still vulnerable to spyware on the endpoints and a dozen other attack vectors.

    Without the suggested fix, unsigned encryption is still more secure than plain text. Vulnerable to man in the middle? Yes. Vulnerable to a sniffer? No. Merely encrypting it without validating signatures still cuts of a large number of attack vectors.

    Security is not about the one true and flawless design. It's about striking the right balance between maximizing utility and minimizing usable attack vectors. For some data flows, man-in-the-middle is an acceptable trade off for not having to manage certificates.

Money isn't everything -- but it's a long way ahead of what comes next. -- Sir Edmond Stockdale