SSL Holes Found In Critical Non-Browser Software

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

This again?

News Flash: People bypass inconvenient security features. Security reduced as a result.

How does this at all lead to a "death knell" for SSL?

Re:Death knell? Really?

It means that both Gunkerty Jeb and Timothy didn't read TFA and are both fucking stupid.

Summary: libraries allow you to selectively ignore part or all of the certificate chain verification, including OpenSSL, which is exactly what your fucking browser asks you to do when you visit a site with a self-signed or expired cert. TFA argues that this is the wrong behavior. TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.

TFA also doesn't understand what the layers of security are around Amazon's EC2 toolkit, either.

Re:Death knell? Really?

It means that this "post" is really clickbait. And now we know why no one RTFA.

Re:Man in the middle?

[pthisis]

You're better off running your own CA and distributing that CA's public key to your internal apps. Then you can ignore outside CAs but still avoid MITM attacks.