Researchers Find, Analyze Forged SSL Certs In the Wild

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

Flash? I removed Flash to avoid problems!

[phayes]

Flash has had too many security breaches & just isn't useful enough for me to justify it's continued existence on my main browsers.

When I need flash for a few select sites I use Chrome & for the rest I use a windows VM that is regularly wiped back to a clean config using snapshots.

Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).