Slashdot Mirror

← Back to Stories (view on slashdot.org)

Black Hat Presentation Highlights SSL Encryption Flaws

Posted by timothy on from the well-hey-nothin's-perfect dept.

nk497 writes "Hackers at the Black Hat conference have shown that SSL encryption isn't as secure as online businesses would like us to think. Independent hacker Moxie Marlinspike showed off several techniques to fool the tech behind the little padlock on your screen. He claimed that by using a real world attack on several secure websites such as PayPal, Gmail, Ticketmaster and Facebook, he garnered 117 email accounts, 16 credit card numbers, seven PayPal logins and 300 other miscellaneous secure logins."

2 of 152 comments (clear)

  1. Re:Oh god by Lord+Ender · · Score: 3, Informative

    OK: "Some implementations of SSL encryption are flawed. These can be fixed. SSL encryption itself is not flawed."

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. Re:Odd choice of words by daemonburrito · · Score: 3, Informative

    It's not a conspiracy theory. It appears that a lot of businesses have concluded that occasionally eating the loss on a fraudulent transaction is cheaper than fixing problems.

    Maybe it should be "...isn't as secure as online businesses would like it to be."

    If they "would like it to be" secure all they would have to do is spend more money on their infrastructure to encrypt everything. So, while it's not a "conspiracy", users who trust sites like paypal or their bank should be upset that these businesses have decided that security is too expensive. Users should be upset that big sites that handle money have decided that it is cheaper to wait for you to notice that money is missing, contact them, and then credit your account (maybe). And if you don't notice, well... it's not their responsibility.

    I think that it is in the interests of businesses as well as their customers for SSL transactions to remain secure.

    I would think so, too. However, people who run these companies' IT appear to have come to a different conclusion: Spend a certain amount of money on a somewhat secure system, and then put the responsibility on the customer to notice fraud. If noticed, credit the customer's account. Since the problems with mixing secure and non-secure elements have been known and exploited for years, we can conclude that these companies have done their cost-benefit analysis on the current way of doing things and found it to be acceptable.