You are right, the SSL certificate is not used to intercept the connection. It is merely used to disguise an intercepted connection as a genuine one.
The interception itself can be done by many different technical means, including DNS poisoning/spoofing, packet sniffing on a wireless network, etc. These aren't always trivial or feasible - but the risk of them is the reason SSL certificates exist in the first place.
When you log in to your email account, the server sends you a certificate to confirm that it does indeed belong to the email provider and not an eavesdropper.
By registering an email account like "admin" or "ssladmin", an attacker could contact certification authorities and request a new certificate pretending to be a staff member of the service.
They could then use that certificate to intercept and redirect your connection to their own server, intercepting passwords and emails, while your browser will still tell you that you are connected with a genuine mail server.
No advertiser will give you stuff for free. Your discount is paid for with your personal data.
What is in fact despicable, though, is when you are not told exactly what this data is going to be. There is nothing wrong with selling your email address (hell, I'd sell my own by the bucket-load if I got something for them; I have good filtering anyway), but you deserve to know in advance what it is you are selling. It's your right as a seller.
I support the ruling, but that sounds like a weak justification. Every technological discovery involves the laws of nature, whether it be the force of gravity, the propagation of electricity or radio waves. The entire field of engineering is the field of using the laws of nature to accomplish a purpose.
Is the proprietary online education platform with an apparent side job as a patent troll, if memory serves.
Given its closed nature, I wouldn't be surprised if their software is full to the brim of SQL injection, XSS and CSRF vulnerabilities that an interested elementary school student can exploit.
And how does a salt help when they can get the salt?
The salt is not intended to remain any more secret than the hash itself. It also is not designed to ensure security in spite of a breach, just limit the consequences (much like password aging).
Dictionary attacks become disproportionally, infeasibly expensive with a known salt.
Instead of looking for the hash in a pregenerated dictionary (which is easy to find, for example gdataonline.com for MD5, 10^9 entries), the entire dictionary must be regenerated for each hash. That's 10^9 hash operations to attempt to guess a single password.
It won't stop an attacker determined to get at a single password no matter the cost, but it will stop attackers who skim the database for easily cracked passwords.
Let A be the profit our product is supposed to be making. A = USD 1.213*10^9, a number arrived through careful examination and economic theory, as well as the realization that I really like money.
Let B be the profit our product is actually making. This is obviously unrealistically low; we deserve to earn far more money than that. Also, I like money (see A).
The losses due to piracy are calculated by subtracting B from A.
Yeah - other than the passwords, an OSS foundation doesn't really have any secrets to steal. However, how disciplined is the average person about password hygiene? These passwords will grant access to many accounts in many places, compromising emails, systems and possibly other large user databases via admin accounts.
Slashdot Mirror
Depends on the size of the missile...
Apple sells lovemaking devices now?
Where do I get one?
And how much surface area is that in unfolded libraries of congress, anyway?
Eternity lies ahead of us, and behind
Have you drunk your fill?
It really would be amazing if such an organism gained sentience...
Well, newspapers are dead - Netcraft just confirmed it.
You are right, the SSL certificate is not used to intercept the connection. It is merely used to disguise an intercepted connection as a genuine one.
The interception itself can be done by many different technical means, including DNS poisoning/spoofing, packet sniffing on a wireless network, etc. These aren't always trivial or feasible - but the risk of them is the reason SSL certificates exist in the first place.
In a nutshell:
When you log in to your email account, the server sends you a certificate to confirm that it does indeed belong to the email provider and not an eavesdropper.
By registering an email account like "admin" or "ssladmin", an attacker could contact certification authorities and request a new certificate pretending to be a staff member of the service.
They could then use that certificate to intercept and redirect your connection to their own server, intercepting passwords and emails, while your browser will still tell you that you are connected with a genuine mail server.
Yeah, dammit, like that darpanet thing. That would have been cool.
No advertiser will give you stuff for free. Your discount is paid for with your personal data.
What is in fact despicable, though, is when you are not told exactly what this data is going to be. There is nothing wrong with selling your email address (hell, I'd sell my own by the bucket-load if I got something for them; I have good filtering anyway), but you deserve to know in advance what it is you are selling. It's your right as a seller.
It's a web portal, so it's a good guess they're using *some* SQL database server.
But I also read the technical requirements document to find out, and they seem to support Microsoft's SQL Server as well as Oracle as a backend.
I support the ruling, but that sounds like a weak justification. Every technological discovery involves the laws of nature, whether it be the force of gravity, the propagation of electricity or radio waves. The entire field of engineering is the field of using the laws of nature to accomplish a purpose.
A pity Sergey Brin was born in Russia. If this trend continues, I'd vote for him next time round.
Is the proprietary online education platform with an apparent side job as a patent troll, if memory serves.
Given its closed nature, I wouldn't be surprised if their software is full to the brim of SQL injection, XSS and CSRF vulnerabilities that an interested elementary school student can exploit.
So that means men can use the Wii Fit without risk!
No moon? That's a space station?
(Millions of geeks suddenly sighed at the pun and were silenced.)
Imagine the RIAA stamping on a customer's face. Forever.
Maintaining antiquated code on a platform with no appreciable version control and clueless superiors? 20 hours per week, tops.
Writing something well that will be useful and is actually interesting? A hundred, easily.
Thank you again, pseudo-science.
The salt is not intended to remain any more secret than the hash itself. It also is not designed to ensure security in spite of a breach, just limit the consequences (much like password aging).
Dictionary attacks become disproportionally, infeasibly expensive with a known salt.
Instead of looking for the hash in a pregenerated dictionary (which is easy to find, for example gdataonline.com for MD5, 10^9 entries), the entire dictionary must be regenerated for each hash. That's 10^9 hash operations to attempt to guess a single password.
It won't stop an attacker determined to get at a single password no matter the cost, but it will stop attackers who skim the database for easily cracked passwords.
They'll have to fight Google for it. :P
We used to call this kind of thing "jumping the shark".
(Or "selling out to the Man", but it's hard to say that with a straight face.)
Let A be the profit our product is supposed to be making. A = USD 1.213*10^9, a number arrived through careful examination and economic theory, as well as the realization that I really like money.
Let B be the profit our product is actually making. This is obviously unrealistically low; we deserve to earn far more money than that. Also, I like money (see A).
The losses due to piracy are calculated by subtracting B from A.
1. Apache Foundation Attacked, Passwords Stolen
2. Please Do Not Change Your Password
Slashdot is awesome today!
Yeah - other than the passwords, an OSS foundation doesn't really have any secrets to steal. However, how disciplined is the average person about password hygiene? These passwords will grant access to many accounts in many places, compromising emails, systems and possibly other large user databases via admin accounts.
Only if you build yachts! :P