Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - UK home secretary peddling Security Snake Oil (bbc.co.uk)

Martin S. writes: Amanda Rudd the UK Home Secretary responsible for Policing is peddling security snake oil. Ignoring the big problem with information security is that is really is impossible to tell the difference between good security and bad security without an expert and we all know what the current crop of politicons they think of experts. https://www.schneier.com/crypt...

Submission + - Over 14K Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites (bleepingcomputer.com) 1

An anonymous reader writes: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites. Other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks. This number is far smaller compared to misused Let's Encrypt certs.

Assuming that current trends continue, Let’s Encrypt will issue 20,000 additional “PayPal” certificates by the end of this year, bringing the total up to 35,000 over the past two years. To blame for this situation is Let's Encrypt, who said in a mission statement it doesn't intent to police the Internet. Browser makers are also to blame [1, 2], along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.

Comment Re:Norton (Score 1) 77

No, you don't understand that - if you have three involved in a certificate management you have a higher risk than if you have two involved where you have exchanged the certificate validation only between those two parts. A certificate created where one of the parts is a private CA is what you need for best security, and that's essentially what a self-signed certificate is.

But if you don't validate the certificate at either end to ensure that the signer is a valid signer you have a MITM attack possibility, and if the CA is a third part you have a higher risk of a MITM situation - like the Symantec CA.

The reasoning that self-signed certificates are less secure is based on that they aren't validated, but if they are properly validated at both ends they are more secure. But that's not something the popular CAs want to inform you about since that would be bad for their business.

And how many really validates the certificates of a https connection anyway?

Comment Re:Norton (Score 1) 77

The difference now is that many hackers have developed tools for MITM attacks on https.

And it still doesn't validate that sites running https are seen as more trustworthy and allows the browser to do more.

In addition to that - realize that with increased number of parties involved the security issues increases. I would prefer that my bank signed their own certificates and sent a keycard to me with the certificate that I should use combined with the CA certificate for the bank. That way only two parts are involved in the channel and the certificates can be validated both ways. At least as long as neither of the end systems are compromised.

Comment Re:Norton (Score 2) 77

More important is that this further highlights that the "trust" system as it is designed today is broken.

The trust system is based on that you get a default trust of a few CAs in the top, and if one is compromised the house of card suffers severely. And what happens if a CA is ordered by a government to provide false certificates? We can't know if that's the case or not because it will look identical to a real certificate unless it's inspected on a very low level and compared with the certificates assigned to the company using them.

Submission + - Astronomers Observe Supermassive Blackhole Ejected by Gravitational Waves (nasa.gov)

An anonymous reader writes: From NASA:
"Astronomers have uncovered a supermassive black hole that has been propelled out of the center of a distant galaxy by what could be the awesome power of gravitational waves.

Though there have been several other suspected, similarly booted black holes elsewhere, none has been confirmed so far. Astronomers think this object, detected by NASA's Hubble Space Telescope, is a very strong case. Weighing more than 1 billion suns, the rogue black hole is the most massive black hole ever detected to have been kicked out of its central home.
Researchers estimate that it took the equivalent energy of 100 million supernovas exploding simultaneously to jettison the black hole. The most plausible explanation for this propulsive energy is that the monster object was given a kick by gravitational waves unleashed by the merger of two hefty black holes at the center of the host galaxy."
The findings of the study will be published in the journal Astronomy and Astrophysics on March 30th.

Slashdot Top Deals

"The only way for a reporter to look at a politician is down." -- H.L. Mencken