SSL Holes Found In Critical Non-Browser Software

Posted by timothy on Thursday October 25, 2012 @08:21AM from the will-be-with-us-for-a-while dept.

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

2 of 84 comments (clear)

Min score:

Reason:

Sort:

Re:Death knell? Really? by Anonymous Coward · 2012-10-25 08:34 · Score: 5, Informative

It means that both Gunkerty Jeb and Timothy didn't read TFA and are both fucking stupid.
Summary: libraries allow you to selectively ignore part or all of the certificate chain verification, including OpenSSL, which is exactly what your fucking browser asks you to do when you visit a site with a self-signed or expired cert. TFA argues that this is the wrong behavior. TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.
TFA also doesn't understand what the layers of security are around Amazon's EC2 toolkit, either.
Re:Death knell? Really? by Anonymous Coward · 2012-10-25 08:34 · Score: 5, Informative

It means that this "post" is really clickbait. And now we know why no one RTFA.