Researchers Find, Analyze Forged SSL Certs In the Wild

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

Flash? I removed Flash to avoid problems!

[phayes]

Flash has had too many security breaches & just isn't useful enough for me to justify it's continued existence on my main browsers.

When I need flash for a few select sites I use Chrome & for the rest I use a windows VM that is regularly wiped back to a clean config using snapshots.

Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).

Re:Bluecoat and other security products

[BitZtream]

Perhaps you should consider that you're using your employers network and systems for personal business and stop being such a fuckwit about it.

Its not your PC, its not your network, none of those resources are yours, yet you're complaining about using those resources for things other than what they are intended ... and being watched.

Do your personal business on your personal time and shut the fuck up.