The article discusses why implementing any cryptography in JavaScript gives no security and, what's even worse, gives a feeling of false security.
Wednesday, August 31, 2011
Javascript Cryptography Considered Harmful
Hackers acquire Google certificate, could hijack Gmail accounts
The conceptual problem is that PKI stands on the trust to companies that issue certificates (CA). When there were few CAs and they did their job, everything was fine. As the number of certificates issued increased, CAs started to outsource their work to resellers and lower their cost by automating certificate issuance. So now this kind of problems will happen again and again.
Read the story and today's official statement (which proves my words -- if the computer issuing the certificates would not be connected to network, the trouble would not happen).
Thursday, August 25, 2011
"Apache Killer" tool spotted in the wild
Yipe! While DoS attacks hardly have a 100% working remedy, weakness to some special kind of attack means that another generation of script kiddies to put servers down just for fun.
"Apache Killer" tool spotted in the wild
Friday, August 19, 2011
Trojanized Android app intercepts messages to hide costly subscriptions
Trojanized Android app intercepts messages to hide costly subscriptions
Now that is nasty. Note, however, that the user must install the trojan first, and users who don't pay attention to permissions requested by the installed application, probably deserve some lessons.
Tuesday, August 16, 2011
What really breaks SSL?
An article about how SSL is misused (or not used at all).
The point is that SSL itself is secure, and it's people whose mistakes and misunderstandings make SSL-protected resources vulnerable.