Slashdot Mirror

← Back to Stories (view on slashdot.org)

FalseCONNECT Vulnerability Affects Software From Apple, Microsoft, Oracle, More (softpedia.com)

Posted by BeauHD on from the no-one-is-safe dept.

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

4 of 32 comments (clear)

  1. Re:Tricks victims into reauthenticating by Oswald+McWeany · · Score: 2

    My vote is for both: It requires an imperfect user using imperfect software.

    --
    "That's the way to do it" - Punch
  2. Re:silent security fixes by halivar · · Score: 2

    FLOSS isn't "out in the open;" it's unknown. We don't KNOW that it's affected, and the "may be affected" line in the summary is purely speculative. The known affected parties were notified and given a short time to fix, as is standard procedure. If these security bug disclosure sites had unlimited resources, no one would be out in the cold. Alas, it cannot be.

  3. Re:Tricks victims into reauthenticating by Gr8Apes · · Score: 2

    Seems like this is an issue only for those going through a proxy server. No HTTP proxy, no problem. So this affects a minor smidgen of users in the world, and only those that are smart enough to set one up in the first place. (Companies that set this up should be smart enough to deal with this problem)

    --
    The cesspool just got a check and balance.
  4. Re: Tricks victims into reauthenticating by buchanmilne · · Score: 2

    ISPs don't use proxies for that.

    The two most common ways to track usage (in DSL/fibre networks, I am not that familiar with cabke) are:
    - RADIUS accounting from the BNG where the PPP (e.g. PPPoE) session terminates
    - From a DPI-basen in-line system (3GPP terminology is 'PCEF'). This can also typically be used from enabling transparent caching (but that can also be done with e.g. WCCP on a router in-linr IIRC, but DPI can make better decisions on what traffic to send to caches).

    But, typically there isn't authentication involved with accessing transparent caches ...