After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, VASCO announced that DigiNotar, filed a voluntary bankruptcy petition and was declared bankrupt today. This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2011-01-28
Wow, that is quite a stunning revelation.
The attackers could inject the malicious javascript payload into unencrypted traffic, and then command the browser to pound away at the HTTPS server sending known plaintexts for the attacker to analyze. This part is well known, but I'm quite shocked to hear that SSL is vulnerable to known plaintext attacks.
Given how they claim that the fixes break compatibility with all software running on millions of websites and web browsers anyways, this would be an excellent opportunity for software updates to include support for non-CA based authentication/encryption mechanisms.
Looking further down the line, it would be very nice if all traffic could be secured using the same infrastructure: SSH, email, http, vpn, voip, etc. When I punch in XYZ.com in any client, I should be automatically secured without the need to manually exchange keys.
Who today manually verifies SSH keys? How many people exchange their VPN keys through an unsecure source like email or an unverified SSH connection? We need an easier, more universal solution. And I think it's within reach, but the tricky part is getting a solution widely adopted.
Edited 2011-09-22 00:59 UTC
Member since:2007-09-22
Old versions of the SSL/TLS protocols are vulnerable to known adaptive plaintext attacks.
So an attacker has to be able to send a plaintext based on the analyzes of the HTTPS-traffic he/she sees and inject it in the HTTPS-traffic.
Which he/she can with JavaScript from an other page.
The problem is 3 things:
1. the browser allows pages on domain-X to talk to other domains. You don't even need JavaScript for that, it has always been possible.
2. the browser re-uses the same HTTPS-connection (or session-cache) for different pages
3. biggest problem is that that the old protocols don't seem to go away.
It is like the IE6-problem for webdevelopers.
For example all versions of IE on Windows XP do not support TLS/1.1 and TLS/1.2. They have no protection against this problem.
But most other browsers and server do not supoprt it either and those that support it have it turned off by default.
Because there are servers that only speak the older protocols which refuse to talk to clients that say they _also_ support the newer protocols.
The third and final WWDC product I want to talk about is - of course - OS X 10.9 Mavericks. While iOS 7 was clearly the focus of this year's WWDC, its venerable desktop counterpart certainly wasn't left behind. Apple announced OS X 10.9 Mavericks, the first OS X release not to carry the name of a big cat.
We already talked about iOS 7 yesterday (after a night of sleep, it's only looking worse and worse - look at this, for Fiona's sake!), so now it's time to talk about the downright stunning and belly flutters-inducing new Mac Pro. As former owner and huge, huge, huge fan of the PowerMac G4 Cube - I haven't been this excited about an Apple product since, well, I would say the iMac G4. This is the Apple I used to love.
Apple held its big keynote event thing at WWDC earlier this evening, but since I was away with friends I've had to read up on it later in the evening. The company announced iOS 7, OS X 10.9 Mavericks, and they gave a preview of the new Mac Pro. Especially the Mac Pro impressed me, and while iOS 7's new Holo/Metro-inspired theme looks messy and garish to me, I do commend Apple for finally breaking the mold. This news item will focus on iOS 7 - I'll dive into the Mac Pro and OS X 10.9 tomorrow (it's late here now).
And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.Ah, patents - the never-ending scourge of the technology industry. Whether wielded by companies who don't actually make any products, or large corporations who abuse them because they can't compete in the market place or because they're simply jerks, they do the industry a huge disservice and are simply plain dangerous. According to The Wall Street Journal (circumvention link), president Obama is about to take several executive actions to address patent trolls - which may seem like a good idea, but I am very worried that all this will do is strengthen the positions of notorious patent system abusers such as Apple and Microsoft.
With version 13.05, the developers of the Genode OS Framework take measures to ensure that Genode continues to scale well with a growing number of users and the steadily broadening platform coverage. Further highlights are the improved SoC support for Exynos 5, OMAP4, Raspberry Pi, i.MX, and new components for realizing headless systems.At the D11 conference, Apple CEO Tim Cook once again took the stage to be interviewed by Walt Mossberg and Kara Swisher. While most of the interview can be replicated by picking and reading 10 random Apple fanblog stories - there were still a number of very interesting things that warrant some closer scrutiny.
So, the Xbox One disaster continues. Microsoft's policy for dealing with the used games market has reportedly leaked - and it's a clear and direct attack to destroy the used games market. Prices for used games will be set at the retail value of a new game, and retailers have to hook into Microsoft's computer systems and comply with Microsoft's terms and conditions.At an event earlier today, Microsoft unveiled the next Xbox - the third model, but confusingly named Xbox One. The big focus was TV, integrated Kinect, and all the other stuff we all expected to be forced down our throats. I think it took them 25 minutes to actually come to what should be the core of the story: gaming. Nothing groundbreaking in the gaming department, except for how Microsoft intends to handle the used games market and borrowing games from friends: pay up, buddy!
Member since:
2007-09-22
Seems the encryption scheme behind old HTTPS-protocols in combination with current browser implementations might be broken as well:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
We'll see what this really means on Friday.
The new protocols are from 2006 and I think support for it in IE started on Windows Vista.
I wonder if this means Microsoft will release an update of their SSL-library for Windows so IE will be fixed to.
An other problem Firefox and Chrome do not support the new protocols yet.
Opera supports it, but it is disabled by default, it is also disabled on IE on Vista and Windows 7 because it is not compatible with all webservers.
Some of the webservers (SSL and TLS/1.0) do not allow browser with newer protocols (TLS/1.1 and TLS/1.2) to connect.