Wednesday, August 31, 2011

Javascript Cryptography Considered Harmful

The article discusses why implementing any cryptography in JavaScript gives no security and, what's even worse, gives a feeling of false security.

Hackers acquire Google certificate, could hijack Gmail accounts

The conceptual problem is that PKI stands on the trust to companies that issue certificates (CA). When there were few CAs and they did their job, everything was fine. As the number of certificates issued increased, CAs started to outsource their work to resellers and lower their cost by automating certificate issuance. So now this kind of problems will happen again and again.

Read the story and today's official statement (which proves my words -- if the computer issuing the certificates would not be connected to network, the trouble would not happen).

Thursday, August 25, 2011

"Apache Killer" tool spotted in the wild

Yipe! While DoS attacks hardly have a 100% working remedy, weakness to some special kind of attack means that another generation of script kiddies to put servers down just for fun.

"Apache Killer" tool spotted in the wild

Friday, August 19, 2011

Trojanized Android app intercepts messages to hide costly subscriptions

Trojanized Android app intercepts messages to hide costly subscriptions

Now that is nasty. Note, however, that the user must install the trojan first, and users who don't pay attention to permissions requested by the installed application, probably deserve some lessons.

Tuesday, August 16, 2011

What really breaks SSL?

An article about how SSL is misused (or not used at all).

The point is that SSL itself is secure, and it's people whose mistakes and misunderstandings make SSL-protected resources vulnerable.