Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:How About Bluetooth Keyboards (Score 1) 85

Bluetooth 2.1 and up are pretty good security wise, links are always encrypted and pairing with SSP can also protect you from an MITM attack. (e.g. using numeric comparison or passkey entry is secure from MITM. See the relevant wikipedia page for specifics.)

Since encryption is required (and usually done in dedicated hardware), there shouldn't be a difference in battery life.

Comment Re:There are some problems with it (Score 3, Interesting) 137

The server operator could modify the javascript it sends to the client, so that the client sends either the key or the plaintext to a place of the operator's choosing.

That would fall under the same category as MITM in this case. You still need to trust the server (or a server, if you prefer)

You could move the client side code to a browser addon/extension, but you'd still have the problem of trusting the extension to behave

Comment Re:There are some problems with it (Score 4, Informative) 137

It runs on ZeroBin, which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.

It uses the Stanford Javascript Crypto Library for its AES code, and its codebase is available on github.

The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content


Submission + - Attack Breaks Confidentiality Model of SSL (threatpost.com)

Gunkerty Jeb writes: Two researchers have developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce and payment sites. The attack breaks the confidentiality model of the protocol and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites.

The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it's available.


Submission + - Researchers announce TLS1.0 broken (theregister.co.uk) 3

ludwigf writes: The plaintext-recovery attack exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. At the moment, [their exploit] requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work.

TLS 1.1 fixes the problem but: "Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications," Duong wrote. “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.”

Slashdot Top Deals

The superior man understands what is right; the inferior man understands what will sell. -- Confucius