MessiandNeymar

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, November 8, 2012

SSL Certificate Validation

Posted on 8:19 AM by Unknown

I quite enjoyed this recent paper: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

We present an in-depth study of SSL connection authentication in non-browser software, focusing on how diverse applications and libraries on Linux, Windows, Android, and iOS validate SSL server certificates. We use both white- and black- box techniques to discover vulnerabilities in validation logic. Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. When presented with self-signed and third-party certificates—including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us —they establish SSL connections and send their secrets to a man-in-the-middle attacker.

Security is interesting; there are so many different ways to get it wrong!

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Shelter
    I meant to post this as part of my article on Watership Down , but then totally forgot: Shelter In Shelter you experience the wild as a moth...
  • The Legend of 1900: a very short review
    Fifteen years late, we stumbled across The Legend of 1900 . I suspect that 1900 is the sort of movie that many people despise, and a few peo...
  • Rediscovering Watership Down
    As a child, I was a precocious and voracious reader. In my early teens, ravenous and impatient, I raced through Richard Adams's Watershi...
  • Must be a heck of a rainstorm in Donetsk
    During today's Euro 2012 match between Ukraine and France, the game was suspended due to weather conditions, which is a quite rare occur...
  • Starting today, the games count
    In honor of the occasion: The Autumn Wind is a pirate, Blustering in from sea, With a rollocking song, he sweeps along, Swaggering boisterou...
  • Beethoven and Jonathan Biss
    I'm really enjoying the latest Coursera class that I'm taking: Exploring Beethoven’s Piano Sonatas . This course takes an inside-out...
  • Parbuckling
    The enormous project to right and remove the remains of the Costa Concordia is now well underway. There's some nice reporting on the NP...
  • For your weekend reading
    I don't want you to be bored this weekend, so I thought I'd pass along some articles you might find interesting. If not, hopefully y...
  • Are some algorithms simply too hard to implement correctly?
    I recently got around to reading a rather old paper: McKusick and Ganger: Soft Updates: A Technique for Eliminating Most Synchronous Writes ...
  • The Theoretical Minimum: a very short review
    I plowed through Susskind and Hrabovsky's The Theoretical Minimum: What You Need to Know to Start Doing Physics over the last month. He...

Blog Archive

  • ►  2013 (165)
    • ►  September (14)
    • ►  August (19)
    • ►  July (16)
    • ►  June (17)
    • ►  May (17)
    • ►  April (18)
    • ►  March (24)
    • ►  February (19)
    • ►  January (21)
  • ▼  2012 (335)
    • ►  December (23)
    • ▼  November (30)
      • Atmospheric Rivers
      • Two Years for Randall Munroe
      • WDW vs DL
      • On being a developer
      • The fourth bore
      • Tis the season...
      • Zlatan's goal
      • Thanksgiving edition of stuff I'm reading
      • The OAK watch incident
      • HP Autonomy
      • The bubble is back!
      • Stuff I'm reading about
      • Perforce Thanksgiving Potluck
      • Gates Foundation gets involved in MOOCs
      • Yes, it's true, I just can't get enough...
      • Data security in the cloud
      • The fastest boat in the world?!
      • AWS 10/22 outage
      • The old guy can still bring it
      • Vibe Managers
      • Election 2012
      • It's not just a game ...
      • Consider the source
      • Don't see me!
      • SSL Certificate Validation
      • Am I slowly learning something?
      • Future Perfect: a very short review
      • Pulpit Rock
      • Another quick collection of Sandy links
      • Techy Sandy Stories
    • ►  October (33)
    • ►  September (34)
    • ►  August (29)
    • ►  July (39)
    • ►  June (27)
    • ►  May (48)
    • ►  April (32)
    • ►  March (30)
    • ►  February (10)
Powered by Blogger.

About Me

Unknown
View my complete profile